Executive Summary

Government information technology is subject to a variety of rules, regulations, and procurement policies.  Computing is treated differently depending on whether the platform is based on desktops, laptops, mobile devices, or remote file servers known as cloud computing.  There are differences between the executive, legislative, and judicial branches of government, as well as in the level of privacy and security expected for various applications.  

Some people perceive higher security on desktop or laptop computers and lower security with the cloud because the latter’s information is stored remotely through third-party commercial providers.  In reality, though, there are serious security threats to all electronic information regardless of platform, and cloud server providers often take security more seriously than mass consumers or government officials employing weak passwords on their local computers. 

In this paper, I review current federal IT policy and discuss rules, practices, and procedures that limit innovation.  There are a variety of obstacles that make it difficult for policymakers to take full advantage of the technological revolution that has unfolded in recent years.  After outlining these issues, I make recommendations on policy changes required to improve the efficiency and effectiveness of federal computing. 

My specific recommendations include:

1. Public officials should develop more consistent rules on computing across desktop, laptop, mobile, and cloud platforms.  
2. The use of video, collaboration, and social networking should be authorized for congressional offices.  This would make legislative branch policy consistent with that of the executive branch.
3. Judicial branch computing should be modernized, with greater emphasis on cloud computing. 
4. There should be a more uniform certification process for federal agencies.  Right now, each agency is responsible for certifying its own applications.  It makes sense to have a “joint authorization board” with the power to review management services and certify particular products for use across the government. 
5. Congress should update the Electronic Communications Privacy Act to change the process by which law enforcement agents obtain electronic information.  Instead of using a prosecutor’s subpoena, legislation should require a “probable cause” search warrant that is approved by a judge.  This would provide greater safeguards in terms of online content, pictures, geolocation data, and e-mails.
6. Privacy rights should be placed on the same footing regardless of whether a person is using desktop or cloud computing.  It makes little sense to have weaker standards on one platform than another.  Consumers and government decision-makers expect the same level of protection whether they are accessing information on a desktop, laptop, mobile, or cloud storage system. 
7. Congress should amend the Computer Fraud and Abuse Act to strengthen penalties for unwanted intrusion into computing systems.  The law has inconsistent penalties and prosecutors have found that it is hard to prosecute cyber-crimes. 
8. Apps.gov represents a big step forward and government use should be expanded because it makes procurement easier and speeds public sector innovation.  It is a model of how the government can reinvent itself through digital technology in ways that improve efficiency and effectiveness.
9. Countries need to harmonize their laws on cloud computing so as to reduce current inconsistencies in regard to privacy, data storage, security processes, and personnel training,  
10. There should be mechanisms for data exchange that encourage portability across platforms.  We should avoid vendor lock-in that precludes data exchange.
11. Data on uptime, downtime, recover time, archiving, and maintenance schedules would help build public trust by providing information on computing performance.

Downloads

• Download the Full Paper

Event Information

Although research suggests that considerable efficiencies can be gained from cloud computing technology, concerns over privacy and security continue to deter government and private-sector firms from migrating to the cloud. By its very nature, storing information or accessing services through remote providers would seem to raise the level of privacy and security risks. But is such apprehension warranted? What are the real security threats posed to individuals, business and government by cloud computing technologies? Do the cost-saving benefits outweigh the dangers?

On October 26, the Brookings Institution hosted a policy forum on the privacy and security challenges raised by cloud computing. Governance Studies Director Darrell West moderated a panel of technology industry experts examining how cloud computing systems can generate innovation and cost savings without sacrificing privacy and security. West will also present findings from his forthcoming paper “Privacy, Security, and Innovation in Cloud Computing.”

After the program, panelists took audience questions.

Transcript

• Uncorrected Transcript (.pdf)

Event Materials

• 20101026_cloud_computing

Executive Summary

Cloud computing can mean different things to different people, and obviously the privacy and security concerns will differ between a consumer using a public cloud application, a medium-sized enterprise using a customized suite of business applications on a cloud platform, and a government agency with a private cloud for internal database sharing (Whitten, 2010). The shift of each category of user to cloud systems brings a different package of benefits and risks.

What remains constant, though, is the tangible and intangible value that the user seeks to protect. For an individual, the value at risk can range from loss of civil liberties to the contents of bank accounts. For a business, the value runs from core trade secrets to continuity of business operations and public reputation. Much of this is hard to estimate and translate into standard metrics of value (Lev, 2003) The task in this transition is to compare the opportunities of cloud adoption with the risks. The benefits of cloud have been discussed elsewhere, to the individual to the enterprise, and to the government (West, 2010a, 2010b).

This document explores how to think about privacy and security on the cloud. It is not intended to be a catalog of cloud threats (see ENISA (2009) for an example of rigorous exploration of the risks of cloud adoption to specific groups). We frame the set of concerns for the cloud and highlight what is new and what is not. We analyze a set of policy issues that represent systematic concerns deserving the attention of policy-makers. We argue that the weak link in security generally is the human factor and surrounding institutions and incentives matter more than the platform itself. As long as we learn the lessons of past breakdowns, cloud computing has the potential to generate innovation without sacrificing privacy and security (Amoroso, 2006; Benioff, 2009).

Downloads

• Download the Full Paper

The appointment of new federal chief information officer Steven VanRoekel comes at a challenging time for President Barack Obama. The national economy continues to be weak. Congress plans to cut trillions from the federal budget. And in the time leading up to the 2012 election, American voters remain cynical about the ability of the government to address important policy problems in an effective manner.

In an era of deficit reduction and public cynicism, the tasks facing federal officials are to determine how to do more with less and persuade voters the government can become smarter and more effective. There are going to be fewer dollars for virtually every federal program so it is important to figure how ways to innovate and perform more efficiently.

Former CIO Vivek Kundra sought to do this through encouraging agencies to move software applications to the cloud, consolidating federal data centers, improving transparency, and improving the information technology procurement process. It is important to continue this progress even as agencies are forced to downsize their operations.

As shown in the private sector, government administrators should use technology to cut costs, improve worker productivity, and streamline operations. This is not just a matter of using technology in more innovative ways, but changing the operations and culture of the public sector. Public officials must improve its data mining activities to identify fraud and abuse in Medicare, Medicaid, the Defense Department, and other domestic programs.

New software gives managers better tools to evaluate how money is being spent and whether it is fulfilling intended goals. If it is not, programs need to be modified or eliminated. The most important weapon in Mr. VanRoekel’s arsenal may be the scalpel as he goes through the federal government’s $80 billion IT budget.

“Missed connections” is the personals ads category for people whose encounters are too fleeting to form any union – a lost-and-found for relationships.  I gave that title to my paper on the conversation between the United States and for Europe on data, privacy, and surveillance because I thought it provides an apt metaphor for the hopes and frustrations on both sides of that conversation.

The United States and Europe are linked by common values and overlapping heritage, an enduring security alliance, and the world’s largest trading relationship.  Europe has become the largest crossroad of the Internet and the transatlantic backbone is the global Internet’s highest capacity route.

[I]

But differences in approaches to the regulation of the privacy of personal information threaten to disrupt the vast flow of information between Europe and the U.S.  These differences have been exacerbated by the Edward Snowden disclosures, especially stories about the PRISM program and eavesdropping on Chancellor Angela Merkel’s cell phone.  The reaction has been profound enough to give momentum to calls for suspension of the “Safe Harbor” agreement that facilitates transfers of data between the U.S. Europe; and Chancellor Merkel, the European Parliament, and other EU leaders who have called for some form of European Internet that would keep data on European citizens inside EU borders.  So it can seem like the U.S. and EU are gazing at each other from trains headed in opposite directions.

My paper went to press before last week’s European Court of Justice ruling that Google must block search results showing that a Spanish citizen had property attached for debt several years ago.  What is most startling about the decision is this information was accurate and had been published in a Spanish newspaper by government mandate but – for these reasons – the newspaper was not obligated to remove the information from its website; nevertheless, Google could be required to remove links to that website from search results in Spain. That is quite different from the way the right to privacy has been applied in America.  The decision’s discussion of search as “profiling” bears out what the paper says about European attitudes toward Google and U.S. Internet companies.  So the decision heightens the differences between the U.S. and Europe.

Nonetheless, it does not have to be so desperate.  In my paper, I look at the issues that have divided the United States and Europe when it comes to data and the things they have in common, the issues currently in play, and some ways the United States can help to steer the conversation in the right direction.

[I] "Europe Emerges as Global Internet Hub," Telegeography, September 18, 2013.

The United States exports digital goods worth hundreds of billions of dollars across the Atlantic each year.  And both Silicon Valley and Hollywood do big business with Europe every year.  Differences in approaches to privacy have always made this relationship unsteady but the Snowden disclosures greatly complicated the prospects of a Transatlantic Trade and Investment Partnership.  In this paper Cameron Kerry examines that politics of transatlantic trade and the critical role that U.S. privacy policy plays in these conversations.

Kerry relies on his experience as the U.S.’s chief international negotiator for privacy and data regulation to provide an overview of key proposals related to privacy and data in Europe.  He addresses the possible development of a European Internet and the current regulatory regime known as Safe Harbor. Kerry argues that America and Europe have different approaches to protecting privacy both which have strengths and weaknesses.

To promote transatlantic trade the United states should:

• Not be defensive about its protection of privacy
• Provide clear information to the worldwide community about American law enforcement surveillance
• Strengthen its own privacy protection
• Focus on the importance of trade to the American and European economies

Downloads

• Download the paper

As of today, the federal government will require that all cloud service providers have Federal Risk and Authorization Program (FedRAMP) approval. FedRAMP is a program meant to standardize the security of cloud services, thus reducing the time and effort that independent cloud providers would need to spend ensuring cloud security. According to a 2013 annual report by the General Services Administration, agencies that use FedRAMP could save 50 percent on staffing and $200,000 in costs overall. FedRAMP will operate under similar rules as the Federal Information Security Management Act (FISMA), which helps maintain security of federal IT systems, applications and databases. Both FISMA and FedRAMP will provide enhanced protection and scrutiny for federal and independent agencies.

To learn more about cloud computing, read Darrell West’s papers Saving Money Through Cloud Computing and Steps to Improve Cloud Computing in the Public Sector. Visit the FedRAMP website here.

MaryCate Most contributed to this post.

Cloud computing is becoming omnipresent in the private sector as companies latch on to this innovation as a way to manage scalability, improve flexibility, and reduce cost. Analysts at IDC predict that, over the next six years, nearly 90 percent of new spending on Internet and communications technology will be on cloud-based platforms. Apple, Google, Amazon, Microsoft, and hundreds of smaller companies are positioning themselves to dominate the estimated $5 trillion worldwide market. While few companies will provide numbers, it is estimated that Amazon and Google may run as many as 10 million servers while Microsoft runs close to one million. In short, it is an innovation that makes a mockery out of Moore’s law.

But, like all innovations, cloud computing has potential pitfalls. Public sector organizations in particular have had difficulty taking advantage of new technologies. The Heritage Foundation keeps a list over 50 examples of government ineptitude including $34 billion in fraudulent Homeland Security contracts, National Institutes of Health renting a lab that it neither needs nor can use for $1.3 million per month, and the Department of Agriculture wasting $2.5 billion in stimulus money on broadband internet. Technological ineptitude received special attention with the failed launch of the Healthcare.gov, the release of classified data from Edward Snowden, and the costly FBI virtual case file debacle.

Cloud computing is far more than just a simple technology change and requires a close examination of governance, sourcing, and security. We sought to understand how well state government is prepared to address the challenges of cloud computing.

The Approach

We have gathered and started to do a content analysis of the IT strategic plans for each state. For each plan, we performed a content analysis, which is looking for certain phrases or text within the IT strategic plan in order to have a structured way to understand the data. Details for our approach can be seen in our previous blog post.

How States Are Implementing the Cloud

We were not surprised to see a number of states preparing to study or embark on cloud computing.

While some states don’t mention it (e.g. Alabama), most states are eagerly exploring it. For example, North Dakota’s plan talks about cloud computing as an integral part of the future and seven of its thirteen major IT initiatives are centered on preparation for transitioning to the cloud “where and when it makes sense”.

Vermont puts itself squarely in the studying period. The plan describes that, “While the risks of enterprise-wide and cloud-based IT must be carefully managed, trends continue to just larger-scale operations.” Wisconsin also clearly lays out its view on cloud computing, writing that, “Flexibility and responsiveness (also) guide Wisconsin’s approach toward adoption of cloud services” and suggests that its version of a private cloud “…offers advanced security and service availability tailored for business needs.” West Virginia provides an equally balanced approach by requiring that only services with an acceptably low risk and cost-effective footprint will be moved to the cloud.

In short, all of the states that are considering cloud computing are taking a thoughtful and balanced approach.

The Good

One of the most critical aspects of cloud computing is security and, without question, states understand the importance of good security. A good example of this is Colorado who designates security as one of its four “wildly important goals” and sets the target of “10 percent reduction in information security risk for Colorado agencies by close of FY15”.

South Carolina echoed the same theme by asserting that security and confidentiality are “overriding priorities at every stage of development and deployment.” Connecticut’s plans explain the need to “continuously improve the security and safeguards over agency data and information technology assets”.

The Bad

Despite the interest in cloud computing, we were only able to find a single state (Georgia) that explicitly links governance to security and, to us, by extension to cloud computing. In Georgia’s plan, they start with the idea that “strong security programs start with strong governance” and then explicitly describe necessary changes in governance to improve security.

We were, however, impressed with the seriousness that New York, North Carolina and Massachusetts took governance but it was difficult to find many other states that did.

The Ugly

Unfortunately the results on sourcing were dismal. While a few states (e.g. Kansas, Ohio, and Massachusetts) specifically discuss partnerships, most states seemed to ignore the sourcing aspect of cloud computing. The most ominous note comes from Alabama where they make a statement that innovation in the state is being stifled by a lack of strong personnel.

While we have great enthusiasm for government to address cloud computing, some of the non-technical issues are lagging in the discussion. Good government requires that these items be addressed in order to realize the promise of cloud computing.

In December 2009, the Saban Center for Middle East Policy conducted a day-long simulation of the diplomatic and military fallout that could result from an Israeli military strike against the Iranian nuclear program. In this Middle East Memo, Kenneth M. Pollack analyzes the critical decisions each side made during the wargame.

The simulation was conducted as a three-move game with three separate country teams. One team represented a hypothetical American National Security Council, a second team represented a hypothetical Israeli cabinet, and a third team represented a hypothetical Iranian Supreme National Security Council. The U.S. team consisted of approximately ten members, all of whom had served in senior positions in the U.S. government and U.S. military. The Israel team consisted of a half-dozen American experts on Israel with close ties to Israeli decision-makers, and who, in some cases, had spent considerable time in Israel. Some members of the Israel team had also served in the U.S. government. The Iran team consisted of a half-dozen American experts on Iran, some of whom had lived and/or traveled extensively in Iran, are of Iranian extraction, and/or had served in the U.S. government with responsibility for Iran.

Read more »

Downloads

• Download

Introduction: Despite the launch of indirect, “proximity” talks between Palestinians and Israelis, Palestinian President Mahmoud Abbas continues to resist a resumption of direct negotiations with Israel absent a full settlement freeze. As chairman of the Palestine Liberation Organization (PLO) and president of the Palestinian Authority (PA), Abbas also insists that any new negotiations pick up where previous talks left off in December 2008 and that the parties spell out ahead of time a clear “endgame,” including a timetable for concluding negotiations. While these may seem like unreasonable preconditions, Palestinian reluctance to dive headfirst into yet another round of negotiations is rooted in some genuine, hard-learned lessons drawn from nearly two decades of repeated failures both at the negotiating table and on the ground.

Not only have negotiations failed to bring Palestinians closer to their national aspirations but the peace process itself has presided over (and in some ways facilitated) a deepening of Israel’s occupation and an unprecedented schism within the Palestinian polity. Such failures have cost the Palestinian leadership dearly in terms of both its domestic legitimacy and its international credibility. While it remains committed to a negotiated settlement with Israel based on a two-state solution, the PLO/PA leadership has been forced to rethink previous approaches to the peace process and to negotiations, as much for its own survival as out of a desire for peace.

Haunted by past failures, Palestinian negotiators are now guided, to varying degrees, by six overlapping and sometimes conflicting lessons:

1. Realities on the ground must move in parallel with negotiations at the table.

2. Don’t engage in negotiations for their own sake.

3. Agreements are meaningless without implementation.

4. Incrementalism does not work.

5. Avoid being blamed at all costs.

6. Don’t go it alone.

Downloads

• Download Full Paper - English