Jon Leaman

NSA and the US Cloud Industry

Following the news around the NSA can be depressing.  Speculating on the future often leads down a pessimistic hole.  I want to share the light at the end of the tunnel I have seen.

As you may be able to tell from my intro, I’ve gone through a range of emotions regarding the NSA and all the surrounding news.  I first started caring about internet privacy and openness with the SOPA and PIPA acts.  I grew up with the internet and saw the SOPA and PIPA acts as a way for Hollywood to do to the internet what the FCC did to radio and television.  The reason that this battle was unprecedented was because the restrictions set on radio and television had a technical argument due to contention of airwaves.  There is no technical contention for resources on the internet like there was with radio and TV.  Thankfully, these bills have been stopped in congress, but this is an ongoing battle.

My internet activist fire was lit and many petitions against internet restriction bills had already been signed when the leaks started coming out around the NSA.  There was a lot of suspicion around the extent of the mass surveillance, but no one knew the extent of the reach.  The biggest news, in my opinion, to come out of the leaks is that the NSA was actively looking to undermine encryption standards with backdoors and that the US government was willing to shutdown US based companies that offered truly secure communications as-a-Service (see the tragic end of Lavabit and Silent Circle, two young companies with great promise).  I was emotional about this, but I struggled to find a pragmatic footing.

While I don’t agree or condone the NSA’s actions, there is a conservative argument to be made for the NSA’s programs to be in place.  After all, we are a world leader and we should look for advantages to stay relevant in the economic stage.  Not to mention the fact that private companies are selling mass surveillance to private companies and governments all around the world.  It wouldn’t be fair if the NSA didn’t monitor its citizens!

As individuals, companies, and non-US governments; how should we proceed in a world like this?  Well, there are two major problems to be solved.  One is that if privacy is going to be a concern, full-stack open source encryption needs to be more easily available to the masses.  Encryption is still mathematically proven to be secure.  If open source encryption is implemented with care (open source from the ground up), it makes snooping infeasible.  The second issue is trust with US service providers.  The PRISM program alone caused damage in the range of $35-180 billion to the US Public Cloud industry over the next three years.  Currently, to address the root of the problem, the US would need to reel in the NSA’s jurisdiction over private companies’ data.  There has been progress made in the past 24 hours, but in the event that that doesn’t happen, there is a workaround.  The workaround is for companies to expand their product offerings from public cloud services to onsite private cloud deployments.  Salesforce, as an example, would need to build out a private cloud offering for companies who aren’t comfortable letting their data move outside their data center’s walls (or host country’s borders).  For Salesforce and their ‘No Software’ slogan, this is less than ideal.

So encryption and changes to existing services are a nice first step to gaining trust back in cloud service offerings, but I think the real transition will happen when public service providers decouple their services from the infrastructure where the data lies.  I think we will see a shift of cloud service providers becoming cloud infrastructure agnostic.  There is a subtle but important difference between the workaround suggested above (sell public services into private clouds) and the decoupling of public cloud services from the infrastructure it runs on.  Using Salesforce again, if they decoupled their service from their infrastructure they could operate just like they do today, except there would be a setting to configure where the storage is coming from (e.g. a specific Salesforce DC, a private cloud, AWS, etc..).

I have a feeling that this type of offering will become more prevalent as US companies continue to compete on the world stage.  How do you see the IT industry reacting to these leaks?