Politics and Law

Will Carroll of the ACC, Srinivas Ganta of the IRS, Shalini Jerath of the FAA, and Wilma Tarry of the Commerce Department participate in a cloud computing game.

(Credit: Stephanie Condon/ CNET Networks)

WASHINGTON--The dice were hot, and Will Carroll was playing his cards just right. After leading his team to a solid second-place finish in a fast-paced, complex cloud computing "war game," Carroll seemed like a true management whiz.

The only hitch was, once the 90-minute exercise was over, the term "cloud computing" still left Carroll a bit mystified about what it really meant.

With a tabletop design resembling a fusion of craps and Monopoly, the management consulting firm Booz Allen Hamilton last week lured government workers into playing a game designed to introduce them to the concept of cloud computing. The firm also managed to rope in a few non-government types visiting the FOSE 2009 conference, such as Carroll, a graphic designer for the American College of Cardiology.

With a clear assertive, competitive streak, Carroll found himself at the center of a huddle of federal employees, barking out orders. He directed his teammates from the Commerce Department, the Federal Aviation Administration, and the IRS on whether to use cloud computing or traditional IT infrastructure to earn points in the game, which assigned tasks like protecting intellectual property or facilitating a peanut butter recall.

The game was played like this: consult your team, make your decision, pick a card indicating whether it was the right or wrong one, then collect your earnings.

"The game gave me an opportunity to meet people I wouldn't normally," Carroll said. "But, so what exactly does 'cloud computing' mean?"

Cloud computing doesn't exactly have a single, simple definition--it's being pitched and implemented various ways by tech companies including Google, Amazon.com, Sun Microsystems, Cisco Systems, and Salesforce.com. In its broadest sense, cloud computing refers to having software applications hosted by a third party, rather than in-house, and accessed via the Internet. That can cut costs for users, but it also means ceding some measure of control over the systems.

Carroll's confusion is common in Washington, where a largely bureaucratic workforce is notoriously slow to adopt new technologies. The new federal CIO, Vivek Kundra, hopes to change that, and has emphasized the efficiencies that cloud computing could create for government IT needs.

"You don't need to hire consultants to build out all this infrastructure," he told reporters earlier this month. "You just leverage what's on the cloud itself. Yet in the federal government, we don't have a single platform that allows us to do that."

The "war game" Booz Allen Hamilton hosted, in conjunction with companies like Google and Amazon, aimed to clarify its clients' confusion over cloud computing. Yet as Carroll proved, there was still plenty of uncertainty after the game.

Moreover, the game appeared to underscore some potentially significant challenges to government adoption of cloud computing. Just as Carroll found himself on a team with employees from a diverse group of federal agencies, different government departments may have to adjust to sharing space on the cloud, even if their missions vary greatly.

The point of cloud computing, said Amazon Senior Manager C.J. Moses, is "having the ability to access resources over a common infrastructure."

Yet until government agencies better define what they need from IT providers, said Booz Allen Hamilton Vice President Michael Farber, every department will want its own cloud.

"I don't think the cloud has any hope of offering any promise if we don't architect appropriately," Farber said. "Unless you think strategically about how the government works and wants to work, instead of having 150 data centers, we'll have 150 different clouds."

Each day of the FOSE conference, Booz Allen Hamilton held three rounds of the game, each with a different government theme: defense, intelligence, and civil and healthcare. The teams were handed sets of chips, some that represented money and others that represented staff. Each team had 90 minutes to go through various "tasks"--such as delivering retirement and disability services--which they accomplished by using money and resources to acquire certain IT capabilities.

The teams had the option of using traditional IT platforms, commercial cloud computing services, or a hybrid cloud--a cloud developed for a specific agency. Each carried different risks and rewards.

"Everyone thinks the game is going to be all rosy-posy about the cloud," said Greg Dupier, a Booz Allen Hamilton senior associate who was the master of ceremonies for the games. "There's a lot of hype about cloud computing, so we like to take a balanced approach and highlight the benefits and risks."

He explained that while certain government capabilities would make good use of the cloud, other functions like command and control applications and steady-state applications probably don't make sense to relocate entirely to the virtual spaces of the Internet.

Still, he and others in the IT industry say the perfect storm of shrinking budgets, shifting funding, and a new emphasis on technology in Washington will help boost the use of cloud computing in government.

"The federal government, there's no question, has unique requirements," David Mihalchik, business development manager for Google's federal enterprise team, said at the event. "But the vast majority of government customers can benefit from elements of the commercial cloud that meet their requirements."

Yet with so many IT solutions already in place--the government already spends more than $70 billion a year in IT--trying to transfer processes to the cloud would be like "trying to build a plane while flying," said Booz Allen Hamilton Vice President Drew Cohen.

"The reality is the government is a big institution with lots of agencies," Cohen said. "It's not a one-size-fits-all solution."

As the game progressed, the federal employees became more comfortable with its collaborative aspects--yet some were skeptical that people would be as cooperative or take the same risks in real life.

Shalini Jerath, who manages financial and procurement systems for the FAA, was on Carroll's team, but she spent large parts of the game standing silently back, observing the board and evaluating the risks.

While she does not currently use cloud computing in her work, Jerath said there has been some interest in adopting it at the FAA. She said cloud capabilities like analytics and document management could be useful for her. Still, taking a risk on a new way to manage data in real life would mean more than points lost or gained.

"The government is not necessarily a risk taker," she said. "Winning is not necessarily the end game."

WASHINGTON--Federal regulators on Tuesday met to hear about whether the benefits of cloud computing justify increased regulation, as privacy activists claim, or whether such an approach would do more harm than good.

"We need to be smarter about dealing with technology, and cloud computing is posing (a) risk for us," said Hugh Stephenson, deputy director for international consumer protection at the Federal Trade Commission's Office of International Affairs.

The FTC convened the two-day meeting in its offices here, which follows a series of similar workshops held in previous years on topics like spam, privacy, and behavioral advertising. The agency may file lawsuits to halt "unfair or deceptive acts or practices," meaning that if cloud computing is not unfair or deceptive, the FTC would likely not have jurisdiction.

To secure personal information on the cloud, regulators may have to answer questions such as which entities have jurisdiction over data as it flows across borders, whether governments can access that information as it changes jurisdiction, and whether there is more risk in storing personal information in data centers that belong to a single entity rather than multiple data centers.

The current panoply of laws at the state, national, and international level have had insufficient results; FTC Commissioner Pamela Jones Harbour cited a 2008 PricewaterhouseCoopers information security survey (PDF) in which 71 percent of organizations queried said they did not have an accurate inventory of where personal data for employees and customers is stored.

With data management practices that are not always clear and are subject to change, companies that offer cloud-computing services are steering consumers into dangerous territory, said Marc Rotenberg, executive director of the Electronic Privacy Information Center.

Already, problems of identity theft are skyrocketing, he said, and without more regulation, data management services may experience a collapse analogous to that of the financial sector.

"I predict we are going to experience something very similar with respect to privacy within the emerging information economy," Rotenberg said. "We are going to realize we allowed very similar complex transactions to occur between nontransparent organizations, and we will pay."

Later on Tuesday, EPIC asked the FTC to pull the plug on Gmail, Google Docs, Google Calendar, and the company's other Web apps until government-approved "safeguards are verifiably established."

FTC Commissioner Harbour said at Tuesday's conference that it would be preferable if more than one large company such as Google were responsible for storing personal data.

"I see a lot of overlap between competition analysis and security," she said.

Jane Horvath, senior policy counsel for Google, said "privacy by design is ingrained in our culture, and security is one of our fundamental design principles."

If customers do not feel their data is secure in Google products, nothing prohibits them from transferring their data elsewhere, she said.

"Cloud computing is a very new market place," Horvath said. "As more and more services become available, there will be more and more providers entering this market."

Furthermore, said Kristin Lovejoy, IBM's director of governance and risk management strategy, companies that lease server space from companies like Google to launch their own applications are ultimately responsible for security standards. She also said a large-scale cloud model is easier to secure than a heterogeneous data center.

The cloud-computing sector would benefit, Lovejoy said, from standards similar to the PCI Security Standards, which were formed by major credit card companies to regulate payment account data security.

"We could define for the commercial sector a set of simplistic foundational controls, give them the ability to understand what they must do, and then build on top of that," she said.

In the industry's current state, "we don't know what we need to do, we don't know what we need to protect," Lovejoy said. "The technologies are there but not able to fully help us."

She said IBM is currently developing technology to allow individuals to create profiles to share with third parties, giving consumers the ability to manage elements of their identity. However, she said there is not enough R&D funding for such technology.

"There needs to be innovation around the technologies which push choice to the individuals," Lovejoy said.

While the FTC did not comment directly on any regulatory actions or changes in policy, international regulators said they plan to examine the implications of cloud computing on data security and privacy. The Organization for Economic Co-operation and Development should broach the subject of cloud computing at a meeting in Paris in October, said Michael Donohue, the privacy and information security administrator for the OECD.

This May, the European Union will launch a broad consultation on whether it should consider revising the 1995 data protection directive, said Hana Pechackova, the justice liberty security directorate general for the European Commission.

"We cannot pretend the technologies are the same as they were in 1995," Pechackova said. "Cloud computing and new business models are really challenging our systems. We've heard that the directive may be outdated, but we do not want to step back from our basic principles."

Currently, around 90 percent of organizations in the EU do not engage in transfers of data outside the region, said Billy Hawkes, Ireland's data protection commissioner. Cloud computing is very likely to change that, however.

WASHINGTON--Bureaucrats in Washington looking for a silver lining to the economic downturn may want to try looking at the cloud itself.

The financial downturn, momentum from the private sector, and a new Web-savvy administration have come together to create the perfect climate for government adoption of cloud computing, said software as a service vendors, federal information technology purchasers, and others at a cloud-computing conference here Wednesday.

"In 2008, we saw cloud computing move from a curiosity to a concrete option" for government, said Dan Burton, senior vice president of global public policy for Salesforce.com. "In 2009, I think you'll see it move to a mainstream procurement. It's the right model for times like these."

SaaS vendors assured government customers at the conference, hosted by the Software and Information Industry Association, that their reservations about cloud computing are unfounded. Problems related to security, reliability, and scalability have been resolved, said Zach Nelson, the president and CEO of online application provider NetSuite.

Government representatives at a cloud-computing conference Wednesday talked about their positive experiences with software as a service.

(Credit: Stephanie Condon/CNET Networks)

Furthermore, Nelson said, SaaS can be deployed faster and is more customizable than traditional software. Beyond that, he said, government employees will eventually simply demand cloud services because they are becoming a central part of daily life.

"All of us live and breathe over the Internet today," Nelson said. "If it works for business, why not for government?"

The rapid adoption of cloud-computing services is self-evident, Nelson said. NetSuite's business this year, for instance, grew 40 percent year over year.

Salesforce.com also saw a 44 percent increase in its year-over-year numbers.

Acumen Solutions, the business and technology firm, announced Wednesday it is launching a dedicated public sector cloud-computing practice. The company aims to help government agencies manage their costs by integrating SaaS solutions from a variety of vendors, including Salesforce.com, Google Enterprise, and Workday.

The challenges that remain for government adoption of cloud computing are data integration and bureaucratic resistance. Part of the resistance in Washington to developments like cloud computing stems from lingering concerns about security.

Perfect security on the cloud is an illusory goal, the conference presenters said, and the vulnerabilities of the cloud will have to be weighed against benefits like reduced costs.

"In an era where there's going to be tight resources, there will be compelling ways to do things more effectively on the IT side," said Ron Ross, the director of security for the National Institute of Standards and Technology. "We have to be able to do that in an environment that is well protected."

NIST is currently working on creating cloud-computing standards for protecting government networks and will finalize the guidelines later this year, Ross said.

When managing data on the cloud, he said, agencies have to consider the sensitivity of the data in question to determine the appropriate security controls to use.

"All data is not created equal," Ross said.

Major Larry Dillard, a program manager in the Army's Office of the Chief Marketing Officer, related how he managed to overcome the Army's resistance to change and its security concerns to adopt cloud-computing services for the Army Experience Pilot Program, a recruiting program.

"All the challenges we've faced have been self-imposed," he said. "We're not putting nuclear launch codes on Salesforce.com, we're putting the street addresses of 17-year-olds."

Dillard said he found a higher officer willing to accept the risk involved as long as modifications were made to make the program more secure, such as keeping information like Social Security numbers off Salesforce.com.

Other government agencies, along with the Army, are taking to the Web to communicate with citizens. That will only increase under the Obama administration, said Dan Chenok, a senior vice president for Pragmatics who was part of the Obama transition team.

Just as the transition Web site Change.gov used social-networking tools to solicit ideas for innovation and let visitors exchange ideas with each other, the Obama-run government is likely to implement more two-way communication with constituents, he said.

"That's a real change for federal employees," Chenok said, "that they don't need to control the information flow for the purpose of their program."

Let's move the feds into the cloud
By David Kralik

It's all too common for people to criticize government inefficiency, but rare to hear suggestions that the solution is for government to get its head into the clouds.

I'm talking about cloud computing, a transformational technology being embraced by the private sector because of its promise for enormous productivity gains and reduced costs.

Cloud computing has three basic characteristics: capabilities are accessed over the Internet, housed in an off-site data center, and paid for on a subscription basis. This new model delivers computing applications as a utility, similar to electricity or telephone service. Many applications including e-mail, office document productivity, data storage, and customer databases are moving in this direction because of the opportunity to eliminate the need to buy, maintain, or upgrade information technology systems. But sadly, outdated bureaucratic rules and regulations prevent the federal government from fully being able to embrace and reap the benefits of this technology.

David Kralik, director of Internet strategy for Newt Gingrich's American Solutions for Winning the Future.

The first benefit is cost. Three separate independent studies conducted in 2004 (Gartner Group, the Yankee Group, and Morgan Stanley Research), all suggested that the cost of cloud computing over three to five years is almost half the cost of similar non-cloud solutions. The federal government spent $64.4 billion on information technology in FY 2008, much of which could be reduced had it adopted a model that replaces significant capital expenses for hardware and upfront license fees for a system of renewable per-user subscriptions. This also brings more predictability and stability in future cost outlays and allows for scaling on demand.

The second benefit is speed. Again, because cloud applications are delivered via the Internet, deployment can be done instantly and simultaneously to thousands of users in different locations around the world. Cloud applications are also regularly updated, which can alleviate the constant challenge that government institutions face in being behind on the latest security or upgrade.

A final benefit is ease of use. If you use applications developed by Amazon, Google, or Salesforce.com you are already using applications delivered over the cloud. These applications are easy and intuitive and hold a lot promise for streamlining government if its services operated on similar efficiency. If the government of the District of Columbia can find a way to incorporate things like Google Apps into their operations, shouldn't the federal government be able to do the same?

The lack of those three benefits is what often results in many classic failed government IT projects like the FBI's 2003 decision to terminate its Virtual Case File (VCF) management system. After spending $170 million--a number itself way over budget--the FBI still doesn't have a system to track criminal activity that could prevent terrorist attacks at home, although a replacement is expected this year at a cost of over $425 million.

The VCF failure was more than just a failure of contractors; it was a failure of the type of technology (proprietary, software-based systems) that is now past its prime. In addition to helping solve homeland security challenges, cloud computing could also improve congressional constituent management systems and help reduce voter registration fraud.

With enormous benefits like these, one has to wonder: why isn't the government fully embracing cloud computing now? Two key reasons can be suggested.

Congress spends millions to support a proprietary in-house data infrastructure system at the Ford House Office Building. They do this on the theory that so long as the data is physically housed at a certain location, it can be protected from search and seizure. The same theory holds for data protection from congressional subpoenas when an administration evokes executive privilege. But if Congress can update age-old rules like the 1775 Franking Privilege for a specific technology (YouTube, as they did in October of 2008) why can't it pass a law to allow for greater business efficiency while ensuring that government data remains protected?

The second concern is security. The theory here is that because one cannot physically see where data are stored remotely and the fact that the applications are accessed over the Internet, they must be insecure. But economies of scale are allowing for more sophisticated, state-of-the-art security, disaster recovery, and service reliability features than any individual institution can deploy on its own. Specifically on disaster recovery, there is significant risk in the event of natural disaster of data being housed in one location.

But cloud computing allows for safeguards so that only authorized users can access remotely stored data. This could have prevented the serious breach of privacy such as in October of 2008 when the U.S. Department of Veterans Affairs reported that personal data on over 26 million veterans was compromised from a stolen laptop.

The move from mainframe computing to microprocessor was a major transformational change in information technology, as was the transition from punch cards to software and the invention of the Internet. A fourth major transformational shift is occurring right now as software is replaced with "software as a service," which can significantly improve government operations, lower cost, and move government into the 21st century. As we begin a new session of Congress and new presidential administration, it's time to give this technology serious consideration.

As the single largest purchaser of information technology, government could benefit from this if only it would get its head out of the sand and into the clouds.

David Kralik is director of Internet strategy for American Solutions for Winning the Future, an advocacy organization founded by former Speaker of the House Newt Gingrich.

WASHINGTON--Internet users have jumped head-first into the world of cloud computing, but both policy makers and the public have a lot to learn about it, tech experts said Friday.

Cloud computing will "transform how we do computing--and not in 10 years, but in four or five," said Mike Nelson, a visiting professor at Georgetown University's Center for Communication, Culture, and Technology and a former tech policy adviser under the Clinton administration. "This is going to change everything we do with computing, and there are lots of policy implications."

Nelson participated in a panel discussion of cloud computing hosted by Google on Friday. The discussion coincided with the release of a report by Pew Internet and American Life Project showing that 69 percent of Internet users have engaged in some form of "cloud computing" but most had high levels of concern about how their data on the cloud could be used.

"Most users understand enough" to feel comfortable with cloud computing, Nelson said, "but they don't understand what can happen to that information. There's a definite need for education in that area."

He said politicians needed to learn more about the implications of cloud computing as well, so they can "future proof" the new policies sure to be proposed in the near future. A whole host of issues are likely to be addressed, he said, from privacy and piracy to pornography and policing.

"The government has an almost unlimited capacity to screw up things," Nelson said. "We've got some huge challenges ahead of us."

"Cloud computing" refers to moving tasks typically handled by nearby PCs or servers--things like storage, software execution, and computation--to a remote server somewhere on the Internet. Cloud computing can refer to specific services on the Internet, such as photo editing, or to generic foundations, such as computing capacity.

Most Internet users engaging in cloud computing--56 percent of them--are using Web mail services like Hotmail, while 29 percent of Internet users have used online applications such as Adobe Photoshop Express or Google Documents, according to the Pew study. Forty percent of Internet users have engaged in cloud computing for at least two activities.

Despite the popularity of cloud computing, 90 percent of cloud application users said they would be very concerned if the company storing their data sold it to another party. Sixty-eight percent said they would be very concerned if their data were used for targeted advertising, and 49 percent said they would be very concerned if their data were given to law enforcement.

(Credit: Pew Research Center)

The high use of cloud applications combined with people's concerns shows "people use it more than they understand it," said John Horrigan, Pew's associate director for research.

Ari Schwartz, vice president and chief operating officer for the Center for Democracy and Technology, said there should be enough protections and privacy options for consumers online that "we should get to a point where it doesn't make a difference" how much users understand about the privacy risks of cloud computing.

"Consumers expect their information (on the cloud) to be treated as if it were stored on a home computer," Schwartz said.

He noted that once a user moves his data online, he loses the Constitutional rights he would have had over the data on a home computer.

"We hope that interpretation will change over time," he said.

Nelson said that with respect to cloud computing, "today we are about where we were in 1993 with the Web," but that "we need to be working on policy problems now."

"You have to have leadership that believes in empowering the user and the citizen," he said.

Dell's attempt to trademark the term "cloud computing" faced another setback last week after the U.S. Patent and Trademark Office sent the company a "non-final" refusal of its application.

The PTO informed Dell on August 12 that its registration of the trademark for the term "cloud computing" was refused because "the applied-for mark merely describes a feature and characteristic of applicant's services...In addition to being merely descriptive, the applied-for mark appears to be generic in connection with the identified services and, therefore, incapable of functioning as a source-identifier for applicant's services."

Although the term has been deemed too generic, Dell has six months to submit evidence or arguments in response to the PTO's decision before it is made final.

The PTO initially indicated Dell would receive the trademark on July 8 but revoked its decision on August 7.