which says $22 to $35 BN qualified with an "if" statement.
> The United States has been the leader in providing cloud computing services not just domestically, but also abroad where it dominates every segment of the market. Recent revelations about the extent to which the NSA obtains electronic data from third-parties will likely have an immediate and lasting impact on the competitiveness of the U.S. cloud computing industry if foreign customers decide the risks of storing data with a U.S. company outweigh the benefits. Unless the White House or Congress acts soon, the U.S. cloud computing industry stands to lose $22 to $35 billion over the next three years.
Link to the actual estimate: http://www2.itif.org/2013-cloud-computing-costs.pdf. The estimate is based on surveys conducted in June and July where 10% of respondents stated that they had canceled a U.S. cloud computing project as a result of the NSA programs. The paper than extrapolates from that and then projects the costs to U.S. business over the next three years if the U.S. loses 10%-20% of non-U.S. cloud spending over that period.
The weakness of the conclusion is that:
1) The survey is based on percentage of respondents, but that information is used to make a conclusion about dollar value of spending;
2) It assumes that the survey taken in the direct aftermath of the revaluations is representative of attitudes over the next three years.
Analysis this questionable transcends the 'take with a grain of salt' threshold, in my opinion. They're not publishing this to inform anyone, just grab eyeballs. Hooray new media...
Depressing that such hugely speculative extrapolation is getting upvoted the way that it is. This "article" is typical traffic fodder taking a flawed report at face value and reporting it as fact.
Avoiding the US because of government surveillance is odd, because we know that if you're outside the US you lose all supposed protections you have inside the US, and we know that other agencies collect everything.
GCHQ collect everything; caching it for 4 days and metadata for 30 days. These times are probably going to increase.
There are good reasons to avoid hosting anything in the US. (eg Weird lack of sensible privacy laws).
What protections do you have inside the US as a non-US citizen? While I'm sure other agencies collect things or let the US collect things for them, the fact is that most countries don't have the budget the NSA does to even do something like PRISM.
If you're in sovereign US territory, then you're provided the protections of the Constitution even if you're not a citizen. This is why there's a big stink about closing Guantanamo and moving all the inmates to Leavenworth.
It doesn't seem like the Constitution matters as much as it used to. Regardless, that shouldn't be enough reason to write off other countries for hosting your cloud data.
"if you're outside the US you lose all supposed protections you have inside the US"
Your statement seems rife with confusion. The situation is that if you're not an American citizen you lose ostensible legal protections whereever you are. The NSA is using physical location as proxy for citizenship sometimes it seems. But no one else is talking about changing physical location, just changing web hosting and related stuff (plus locating to the US to not get snooped on doesn't a logical approach).
Anyway, as to what other Internet filtering there is "out there", that is a somewhat different issue. Some large non-US companies would probably rather only be snooped by their government rather than their government and the US, since hypothetically, their government would be less inclined to do industrial espionage against them.
The major point is that you can less trust your hosting provider now when you're aware that there are practices where the provider becomes an order which affects even all the clients and that he is obliged to never say to anybody about it, and also that the interpretation of the 4th Amendment was secretly changed so that the meaning of "unreasonable" is redefined, the meaning of "search" is redefined... It is earth-shaking all together, and it should be.
I was in a meeting the other week where moving a bunch of computing services to the cloud came up. The local vendor was making great hay with the ability to assert that data stored in their cloud infrastructure would not leave our (non-US) state and their company was outside of any foreign legal jurisdiction (ie: not Amazon).
But I think the impact is actually far worse, because nobody actually cared whether it was US based. PRISM has not destroyed US business, it is destroying the cloud computing business everywhere, because nobody trusts that a) their own government is not in cahoots with the NSA anyway, or b) their own government is not even worse than the NSA.
Cloud computing has been one of the great revolutions of the last 10 years, and has seriously lowered the barrier to entry for large scale computing, dramatically boosting innovation. I think PRISM may well set us back 5 - 10 years in terms of migrating services to the cloud and the cost of that is pretty much immeasurable.
In some spheres the market is already swinging back towards the "private cloud", where the technologies hammered out from large scale cloud computing are available as commodity software and hardware solutions. And so the cycle continues...if innovation slows in one area, it will pick up in another. Perhaps it will be a net boon for the cloud in the long run; some other company opaquely housing your data has always been a problem, somewhat ironically, for government agencies, for instance, and certainly is for many private companies and individuals.
This is basically false as regards HIPAA, and I suspec the others as well. HIPAA from the outset has accommodated covered entities using third-party data service vendors under Business Associate Agreements, and there are cloud vendors prepared to operate under those, including Amazon.
It stands to reason that it'll give a 5-to-10-year head start for businesses who don't have anything to worry about from being monitored by the NSA. (Assuming there are such businesses)
Maybe I'm outing myself as a luddite, but I never understood the point of cloud computing for sensitive data in any case. If the system isn't end-to-end encrypted so it's only in plain text locally, I don't care whether it's the government can see it or some intern you hire to sysadmin for the summer can see it--I'm not putting sensitive data on that system.
I've had the same problem trying to come up with a business plan to outsource some of our tasks away from our stupid internal government IT... I can't think up a way to ensure that the sensitive PII that would be held on such a system stays securely accessible to our organization and to no one else.
Yes, it's funny, you would think end-to-end encryption would satisfy most concerns, but it does not. I don't know if that is because people don't trust / understand it, or whether it's legal (maybe you still go to the same prison if your patient data was stolen encrypted as if it was stolen unencrypted). It may be logistical (how do you keep track of the keys, what do you do if the encryption system you used later becomes compromised, or a rogue employee makes off with the keys, etc.). In any case, encrypting the data is not seen as a silver bullet to resolve the risks posed by cloud computing, and certainly nobody at all is proposing to shove data up to the cloud unencrypted - so that itself is not the issue anyway.
I think it is mainly a logistical issue. The problem is that encryption keys are a single point of failure. IT practices at most businesses would have to be very rigorous before a design with a single point of failure for any significant part of the IT infrastructure could even be remotely considered.
Changing business practices to decrease the risk of using end-to-encryption to an acceptable level has an associated cost which, at most companies, probably dwarfs the cost of its technical implementation.
We're only a few years away from having technology which could make "the cloud" provably trustworthy.
Plus, just because it's in your own datacenter today, doesn't actually make your infrastructure trustworthy, either -- incompetence tends to be a greater risk, including staff malfeasance, outside of professional IT organizations (cloud providers).
There is technology (hardware and software) which can make the cloud more secure on every dimension than what people have today (and which can be applied to on-premises as well). There just hasn't been enough demand for it in the past.
Oh, it's going to get much worse than this. You know how hard it is to be get a bank account and/or financial services if you are US citizen living abroad? Other countries simply do not want US citizen's business in banking and financial services. It's too much trouble. I think non-US based cloud companies will start to require proof that you are not a US citizen if you want to use their service. It's simply too much trouble complying with their requirements and you're risking too much. Look what happened to Freedom Hosting recently. All those sites hacked by US Gov, partially b/c the US citizen was involved (duel Irish/US).
I think it will take some time for the damage to become clear. We as a European company are using services like Google Apps, AWS, Dropbox, Skype and such.
We're not in any big hurry to incur the costs of migrating away from those, but it's definitely going to happen in the next 5 years. It partly depends on what alternatives pop up, and we're only at the start of that process.
Also, the policies that preclude ever using such U.S. services again in the future are already being put in place in many organizations.
The actual impact will be slow, but it feels very much irreversible. I introduced the use of AWS at our company. Today, I don't think I could sell that.
Some companies might move away from cloud solution and buy VPS or physical servers in co-location facilities.
However, companies like RackSpace, Amazon and Heroku doesn't really have that much to fear, they simply don't have European competitors. I might be wrong, but I struggle to even find a good European replacement for Gmail ( even though I'm willing to pay ).
I don't really trust UK companies either, so the "best" solution I found so far are companies like Hetzner. It's not really the same as Rackspace, Amazon or Heroku, maybe there's a marked for a OpenStack provider in Europe?
37 comments
[ 3.0 ms ] story [ 81.6 ms ] threadhttp://www.itif.org/publications/how-much-will-prism-cost-us...
which says $22 to $35 BN qualified with an "if" statement.
> The United States has been the leader in providing cloud computing services not just domestically, but also abroad where it dominates every segment of the market. Recent revelations about the extent to which the NSA obtains electronic data from third-parties will likely have an immediate and lasting impact on the competitiveness of the U.S. cloud computing industry if foreign customers decide the risks of storing data with a U.S. company outweigh the benefits. Unless the White House or Congress acts soon, the U.S. cloud computing industry stands to lose $22 to $35 billion over the next three years.
The weakness of the conclusion is that:
1) The survey is based on percentage of respondents, but that information is used to make a conclusion about dollar value of spending;
2) It assumes that the survey taken in the direct aftermath of the revaluations is representative of attitudes over the next three years.
GCHQ collect everything; caching it for 4 days and metadata for 30 days. These times are probably going to increase.
There are good reasons to avoid hosting anything in the US. (eg Weird lack of sensible privacy laws).
Your statement seems rife with confusion. The situation is that if you're not an American citizen you lose ostensible legal protections whereever you are. The NSA is using physical location as proxy for citizenship sometimes it seems. But no one else is talking about changing physical location, just changing web hosting and related stuff (plus locating to the US to not get snooped on doesn't a logical approach).
Anyway, as to what other Internet filtering there is "out there", that is a somewhat different issue. Some large non-US companies would probably rather only be snooped by their government rather than their government and the US, since hypothetically, their government would be less inclined to do industrial espionage against them.
But I think the impact is actually far worse, because nobody actually cared whether it was US based. PRISM has not destroyed US business, it is destroying the cloud computing business everywhere, because nobody trusts that a) their own government is not in cahoots with the NSA anyway, or b) their own government is not even worse than the NSA.
Cloud computing has been one of the great revolutions of the last 10 years, and has seriously lowered the barrier to entry for large scale computing, dramatically boosting innovation. I think PRISM may well set us back 5 - 10 years in terms of migrating services to the cloud and the cost of that is pretty much immeasurable.
Changing business practices to decrease the risk of using end-to-encryption to an acceptable level has an associated cost which, at most companies, probably dwarfs the cost of its technical implementation.
Plus, just because it's in your own datacenter today, doesn't actually make your infrastructure trustworthy, either -- incompetence tends to be a greater risk, including staff malfeasance, outside of professional IT organizations (cloud providers).
There is technology (hardware and software) which can make the cloud more secure on every dimension than what people have today (and which can be applied to on-premises as well). There just hasn't been enough demand for it in the past.
We're not in any big hurry to incur the costs of migrating away from those, but it's definitely going to happen in the next 5 years. It partly depends on what alternatives pop up, and we're only at the start of that process.
Also, the policies that preclude ever using such U.S. services again in the future are already being put in place in many organizations.
The actual impact will be slow, but it feels very much irreversible. I introduced the use of AWS at our company. Today, I don't think I could sell that.
However, companies like RackSpace, Amazon and Heroku doesn't really have that much to fear, they simply don't have European competitors. I might be wrong, but I struggle to even find a good European replacement for Gmail ( even though I'm willing to pay ).
I don't really trust UK companies either, so the "best" solution I found so far are companies like Hetzner. It's not really the same as Rackspace, Amazon or Heroku, maybe there's a marked for a OpenStack provider in Europe?