At a time of interest in costs savings and the effectiveness of government, federal policymakers have urged United States agencies to move towards cloud computing. The controversy over WikiLeaks, serves as a reminder that agencies will need to be mindful of security, as well.
“Cloud computing” is the latest stage in the evolution of information processing. First came the mainframe: computer services were provided by a few powerful computers at central locations. In the 1980s, computing power migrated to personal computers on the desktop, dispersed over millions of machines controlled by millions of users. With the growth of the Internet, increasingly, came cloud computing: services are offered remotely, on many independent but interconnected computers and servers. (For more background on cloud computing, see TAP’s Cloud Computing fact sheet.)
In the private sector, cloud computing has altered information-related services like software with considerable speed. The rise of software-as-a-service firms like Google and Facebook was unforeseen ten years ago and continues to make business headlines today. Google might release its own netbook as a platform for its cloud-based services by the end of 2010 (for more, see “Chromebook: Coming Next Week?” in PC World). Law professor Jonathan Zittrain explores concerns about storing consumer data online in “Lost in the Cloud.” In the context of the private sector, however, consumers seem willing to embrace some cloud-based services although some privacy and security-related issues are likely to arise going forward. Orin Kerr describes how some constitutional privacy issues could be resolved going forward in “Applying the Fourth Amendment to the Internet: A General Approach.” Businesses may be more reticent, particularly for financial data.
The public sector tends to lag somewhat behind the private sector in deploying new technologies, but the movement to the cloud has started. Regional governments, including New York City and Los Angeles are expected to embrace cloud-based services, as is the State of Minnesota. Deployment of technology at the federal level has been more complicated. Each agency makes its own decisions about which technology to deploy, resulting in delays. In May of 2010 U.S. CIO, Vivek Kundra urged the federal government to increase the use of cloud computing, following up in July testimony. In November of 2010, the White House announced a “cloud-first” policy, saying that “consolidating more than 2,000 government data centers will save money, increase security and improve performance.” Office of Management and Budget (OMB) chief performance officer Jeffrey Zients announced that OMB will require that agencies “default to cloud-based solutions whenever a secure, reliable, cost-effective cloud option exists.” Numerous firms, including Lockheed Martin and IBM, are poised to offer solutions.
Questions remain about how the security and privacy of cloud-based options will be assessed in the federal context. TAP scholar Ed Felten’s “Security Analysis of the Diebold AccuVote-TS Voting Machine,” describing problems with a commonly used voting machine, underscores the possibility that security flaws in technology deployed by governments can have consequences for democracy less likely to arise in the private sector. Likewise, policies that help private sector firms avoid privacy or security problems will not always be a good fit in the public sector. For example, Lorrie Faith Cranor’s “Engineering Privacy” describes how engineers can design computer systems that protect privacy by offering consumer choice. But the keeping of individual records for many government functions is mandatory. As agency tasks vary widely, the best security solutions are likely to vary from application to application, noted Casey Coleman of the General Services Administration (GSA) in an interview with Federal Computer Week. In July of 2010, Gregory Wilshusen of the Government Accountability Office testified before the House Committee on Oversight and Government Reform and the Subcommittee on Government Management, Organization, and Procurement that without further guidance on security issues “agencies may be hesitant to implement cloud computing, and those programs that have been implemented may not have effective information security controls in place.” In November, the United States CIO’s office addressed these concerns and others with the 90-page guideline, Proposed Security Assessment and Authorization for US Government Cloud Computing. The proposal lists security issues to consider in authorizing public or private cloud computing services, and proposes “continuous monitoring” of security though quarterly and annual reporting requirements. Vivek Kundra has announced that formal federal security standards will be issued by the middle of 2011.
TAP scholars with expertise in computer security issues include Ed Felten, Lorrie Faith Cranor, Neil Gandal. Deirdre Mulligan and Ari Schwartz consider privacy and security issues related to data storage in “Your Place or Mine: Privacy Concerns and Solutions for Server and Client-side Storage of Personal Information.” Additionally, Christopher Soghoian, a Ph.D. Candidate in the School of Informatics and Computing at Indiana University, remarked on how encryption could improve cloud security in 2009 at an event sponsored by the Berkman Center for Internet & Society.