Location, location, location. What is true of real estate is equally true of critical aspects of cloud computing services. While the location of a data storage center may be irrelevant to many operations and applications, the physical location of a piece of data or information is often critical in determining which sovereign nation controls that data. Indeed, if information is power, then the location of information may determine who exercises power in cyberspace.
As federal, state and local governments move toward cloud computing solutions, they need to come to terms with these challenges (often the issue is spoken of as one of "data sovereignty" - as in "which sovereign controls the data?"). At a minimum, any sensitive or confidential government data should be stored only on servers within the United States, in order to reduce the jurisdictional and security concerns that attend offshore data storage.
To see the importance of location to data security, consider America's recent, unhappy experience with the use of banking data to track terrorists' financial transactions. Shortly after September 11, the Department of the Treasury began a program that used world-wide financial transaction data to identify potentially suspicious transfers as a source of investigative leads into the sources of terrorist financing. By all accounts the financial screening program was highly successful. Stuart Levey, the Under Secretary for Terrorism and Financial Intelligence who oversaw the program, said: "For two years, I have reviewed the program's output every morning. I cannot remember a day when that briefing did not include at least one terrorism lead..."
The backstory here is illustrative of geography and data sovereignty. These international bank transactions are processed through the Society for Worldwide Interbank Financial Telecommunication ("SWIFT"), a consortium based in Belgium. For the United States, the crucial geographic fact was that SWIFT operated two redundant data centers - one in the US and one in the Netherlands. Treasury was therefore able to exert jurisdiction over SWIFT's world-wide data via its authority over the U.S. center.
In 2006, this secret Treasury program was publicly disclosed, and many in Europe complained that American access to European banking data violated European data privacy laws. To enforce their objections, and limit American access to the data, European authorities compelled SWIFT to bifurcate its data storage, keeping European data exclusively on the Netherlands server (and a new one built in Switzerland), thereby subjecting this data to rigid European privacy regulation. In short, Europe changed the extent of American access to the data by changing the location where the data was stored.
The question of control is not a new one - issues of data sovereignty have been around since the first bits and bytes of data were transferred to a cheaper offshore data storage facility. But the transition to the cloud service model has greatly exacerbated the potential for problems. When a customer uses a software-as-a-service (SaaS) cloud, the service provider owns the equipment and is responsible for housing, running, and maintaining it. And those servers can be anywhere - here in the United States; in Europe; in Russia; or in a smaller third-world country - unless restricted in some manner by the customer's contract with the service provider.
When the customer is a private sector company, the transition to cloud storage and processing services creates difficult jurisdictional issues. Whose law is to be applied? The law of the country where the customer created the data? The law of the country (or several countries) where the server(s) are maintained? Or the law of the home country where the data storage provider is headquartered? Or all of the above? At a minimum, customers need to exercise caution and get concrete legal advice before transferring data offshore.
When the customer is a government (like, say, the federal government) these difficult sovereignty issues become even more confounded by the addition of political concerns. If government data is stored overseas, it may - like the SWIFT banking data mentioned above - be subject to legal control and regulation by a different nation. Under those circumstances, the company that provides the cloud storage services is caught in the middle - a hostage to the competing legal demands of two separate countries.
I had a similar experience when I was Secretary of the Department of Homeland Security (DHS) and we were negotiating American access to international traveler information (known as Passenger Name Records, or PNR) maintained by the airlines serving the trans-Atlantic routes. American law required the airlines to deliver this international passenger data to DHS so that it could be analyzed for terrorist threats. International law authorized that requirement. But European data privacy law was said to prohibit the airlines from making that transfer because the U.S. government would not handle the information the same way Europeans did. The airlines were caught in the middle of this difficult and contentious negotiation which, at bottom, really turned on the question of which sovereign's laws applied.
If American government data is stored overseas, it will potentially be subject to the same sort of legal wrangle, with the cloud service providers caught in the middle. The problem is surely magnified when one thinks of the types of information that American governments collect and store. Aside from classified information, the Federal government stores taxpayer information; procurement information; social security and retirement information; Medicare and Medicaid health related information; and educational data (to name but a small slice of the huge amount of data stored by the U.S. government). State and local governments store driver's license and real estate data; birth and death records; criminal records; and even more detailed education records than the federal government (again, this is but a small sample). At all levels of government, we store the working-day information that helps government function: e-mail exchanges, calendars, and the like. The scope of our government's data holdings is as wide as the expanse and reach of government, and likely contains information that touches upon all aspects of American life.
Today, there is no international standard that governs the question of data sovereignty. Nor is any multi-lateral institution likely to sponsor an agreement of this nature in the near future. Rather, disputes about the control of data are resolved on a case-by-case basis, often turning on geography and/or economic factors. In the SWIFT matter, the fundamental factor that determined the resolution was that SWIFT was headquartered in the European Union and stored its data there. In the PNR case (where the ultimate resolution was closer to what America sought), the determinant was that both the passengers and the data were destined for the United States. And, likewise, when the United States began seeking banking data from Swiss banks for tax collection purposes, the critical factor was that the Swiss banks had to have a physical presence in the United States in order to be effective in the international financial market place.
For government data on overseas servers, the issues are made even more difficult to assess by the addition of national security concerns. Even if one could gain legal assurance (perhaps through contractual arrangements or international agreements) as to the integrity of data maintained in cloud servers offshore, that legal protection would not prevent or protect against intrusions and exploitations by foreign espionage agencies.
To be sure, the potential for intrusion and exploitation exists wherever cloud data servers are located. American-based servers are not immune from attack. But the vulnerability to intrusion is increased significantly when the data repository is offshore. The potential for the exploitation of an insider threat increases whenever non-American staff has access to American data. Local cybersecurity capabilities of the cloud server's host country and its internet service providers may be weaker than they are here in the U.S. Non-domestic cloud servers will be outside of the protective umbrella we are attempting to create through the public-private partnerships that govern and policy the Internet here in the United States. Perhaps most worrying, we can never know what the potential is for foreign espionage overseas nor discount the potential that peer-competitor nations like Russia and China will be more successful in targeting offshore cloud data servers.
* * * * *
The move of government data services to the cloud is, to some degree, inevitable. In these times of economic constraint, governments across America will be driven to that solution by the promise of remarkable savings, low overhead, and maintenance-free networks associated with remote data storage. This paints a halcyon picture - an almost costless transition to the cloud.
Before rushing headlong forward, however, we would do well to step back and assess the realities and limitations of this new cloud technology. One limitation, often lost in the rush, is inherent in the distributed nature of cloud-based service systems: cloud-based adaptation takes advantage of the dispersed, globalized nature of the Internet.
But the Internet has a real world physical presence with its fiber optic transmission lines and server farms. Every data storage facility is located somewhere. And when that "somewhere" is not here in the United States, we run the increased risk that the data stored overseas will be subject to the sovereign control of the country where the data is located. That may be tolerable and manageable for a private company. It is less tolerable and manageable for federal, state, and local governments. If, as some say, geography is destiny, principles of good governance and caution require US governments to control their own destiny. American government data should be stored in America and managed by Americans.