Scott Charney: Cloud Security Alliance World Congress 2010

Remarks by Scott Charney, Corporate Vice President, Trustworthy Computing
Orlando, Florida
November 16, 2010

SCOTT CHARNEY: Good morning. It’s a pleasure to be with you.

I actually am going to talk about the cloud; of course, this is the Cloud Security Alliance. There has been a lot of great work done by this organization, but I actually want to put the cloud in a little bit of context, too. I’m going to sandwich the cloud between two other important topics that I think are really important to understand as we figure out how to deploy the cloud at scale with the right levels of security and privacy.

The first thing I want to discuss is the changing threat model. For those of you who have been in the security space a long time, and I started in 1991 with the government, the threat model has changed substantially over the last 20 years. And although much of it was predictable, the reality is that until it actually comes, society often doesn’t galvanize around it.

And now, you know, in a post-9/11 world, when the threats are moving not just up the stack but down the stack, and the attacks are getting far more complex and targeted, it’s important to understand that this cloud that we’re building is going to live in this threat environment.

And then, I want to talk about some of the unique aspects of the cloud, and the work being done to make sure that we have the right paradigm in place. And then I want to end by talking a little bit about the future, because we are, with this cloud transformation, at the beginning of a new transition. And thinking about the implications of this transition, not just for our enterprise customers, where a lot of the Cloud Security Alliance work is focused, but also on the people who will be connected to this thing. They have certain expectations, and the cloud will work the way that they are perceived in the world. We need to understand those things.

So, let me start by saying that I’m going to go through these topics of rethinking the threat. And then I’m going to talk about cloud security, and then I’m going to move beyond technology and talk a little bit about what’s next for us as we think about these challenging issues.

I spent a long time working with governments and industry players around the world on cybersecurity strategy, and after working on it for a very long time, it occurred to me that we were in a state of paralysis. Countries were trying to create cybersecurity strategies to deal with this emergent and ever more serious threat, and they were just getting stuck.

And so I started thinking about why are we stuck; we have so many smart minds working on the problem. And it occurred to me part of the reason we were stuck is, we were looking at the problem as a complex one, but actually it’s a complicated one. And there is a difference.

Complicated things are things that are hard, but can be decomposed into their parts, and then solved part by part by part. Going to the moon was complicated. You needed rockets to get you out of Earth’s gravity. You needed food. You needed water. You needed to deal with waste. You needed a device to land people on the moon and get them back up to the mother ship. And when you deal with a complicated problem like that, you break it up into its little parts. You solve each part, you put the parts together, and off you go.

Things that are complex can’t be decomposed in that way. Complex things are things that have a lot of different parts that interrelate in ways we don’t clearly understand, and have unpredictable consequences. The weather is complex. We can measure many of its parts, barometer, temperature, winds, and still be surprised by the weather. It is really hard to predict with accuracy, particularly long-term.

And so, when I started thinking about why we’re struggling with the threat, it occurred to me we had taken something complicated and made it complex. And what we really needed to do was decompose it into its parts. Why is it so hard to get our arms around the threat? Well, first of all, there are many malicious actors, there are individuals, there are organized crime groups, there are nation-states, and there are intelligence organizations. They have many different motives – it can be anything from financial crime to economic espionage to military espionage, potentially cyber-warfare. These actors, which are many, and these motives, which are many, they use the same techniques. A denial of service attack looks like a denial of service. The theft of data looks like the theft of data. And if it’s done by exploiting vulnerabilities, or by social engineering, it’s done by exploiting vulnerabilities or social engineering.

The reason this is so important, it means the nature of the attack often doesn’t tell you anything about the actor or their motive. It is a shared and integrated domain. It is shared by the private sector, citizens, consumers, businesses, and governments. And it’s integrated in a way that you can’t tease it apart. So, if you think about the physical space, we have laws of armed conflict. And we have things like the Geneva Convention, which says, I can shoot at your troops, and you can shoot at my troops, but we shouldn’t shoot at each other’s civilians. And if I put my troops on a hospital roof, then you’re allowed to shoot at my troops assuming the collateral damage to the civilians in the hospital does not exceed the military objective.

It may be hard to apply the rules in some context, but we have rules. And we can have those rules because you can separate out the military from the civilians, you can separate out the battlefield from the non-battlefield areas.

But the Internet is shared by all these people, and integrated in a way that you can’t tease it apart. And it’s not only shared between consumers, enterprises and governments, but the activities are also munged together One packet can be a denial of service attack, and the next packet can be free speech. The reason this shared integration is so important is because when we think about protecting it, then we have to decide how do you protect a shared and integrated domain? Do we want the military monitoring civilian networks? Yes, it may be a lot of value in monitoring packets, and you might want to monitor packets to find the bad stuff, but do you want governments monitoring free speech? You can’t tease these things apart. The speed of attack exceeds mankind’s ability to respond. Machines attack very quickly. Humans need time. They need time to understand the attack, figure out the implications of a response. Machines don’t give you time.

The consequences are hard to predict. Very often some sort of attack can have unintended consequences and surprises because the consequences are hard to predict; it’s scary. And then, the worst-case scenarios are alarming. You’ve heard the rhetoric, e-911 and electronic Pearl Harbors.

So, basically what I’m suggesting to you is that if you look at these problems, that there are so many actors with so many motives, and we can’t tell them apart, the speed of attack exceeds our ability to respond, and the consequences could be unpredictable and devastating. You understand why people start to get stuck.

And the root of that problem, of course, is attribution — that we don’t know who is attacking and why. And the reason attribution is so important is because you have to appreciate that the national strategies to secure cyberspace are not written on a blank slate. There is a lot of history here. Throughout history, humans have created different mechanisms to deal with different kinds of problems. We create different agencies, and we give them different authorities. If it’s a crime, you have law enforcement authorities with arrest powers, and wiretapping ability. If it’s espionage, you have intelligence agencies, and different authorities like FISA. If it’s warfare, you have a different set of agencies, ministries of defense, departments of defense, and a different set of authorities (Title 10, Title 50). Which agencies you use and what authorities they have depend on two things: who is attacking and why. And what are the two things you don’t know on the Internet? Who is attacking and why.

And so everyone gets stuck. And this is going to be a big issue because, as you can see from the Cloud Security Alliance papers that I’ll talk about in a little bit, we’re starting to look carefully as an organized group about what the threats are to the cloud. How can the cloud be misused? Who is going to misuse the cloud and in what ways? And what are the responses going to be? And one of the reasons we get stuck is because we’re in this environment.

That’s also causing people to think differently about what their response mechanisms might be. And we have to start to think about, when you don’t know the critical things necessary to make an informed response, what kind of response do you make? And so you can start thinking about ethnometrics. Instead of who is attacking and why, maybe you think about probability and harm. If there’s a high probability that something really terrible will occur, well, maybe you just shoot back and ask questions later. Of course, the challenge with that approach has to do with reciprocity.

So, I spent years in the government. I chaired the G8 subgroup on high-tech crime. And in every international negotiation, I knew clearly what I wanted to happen, and I had a very firm position on that. So, for example, in the G8, one of the things we were talking about was trans-border search and seizure. Could law enforcement agents in one country access computers in another country to collect data? And you could understand why that would be incredibly important in this day and age, and also why it could be really problematic, because you may not want other countries accessing your computers with their search warrants.

And my foreign policy principle was always simple — I want to be able to do whatever I want to you, but you shouldn’t do it back. (Laughter.) In foreign affairs, reciprocity is hell. And so, if we think about new models for response, like probability and consequence, it has to go both ways, which these other countries might say, well, we have to take those actions, too, and maybe in situations where you don’t like it.

So, that’s a huge challenge for us, to figure out what that new paradigm is going to look like. But, there are going to be cases where we’re going to have better attribution. Why? Because for a long time we have been focusing on getting better attribution and networks, and the works are nascent, but they’re starting to roll. These things include being able to identify devices that connect, based on hardware identifications that are unique and robust, and having an identity meta-system roll out where people have verified identities based on in-person proofing.

I noticed that on November 1st, for example, Germany issued its first DID card. Belgium has a card. Singapore has a card. They’re starting to identify people for Internet transactions and we can do it in a way that’s actually privacy-enhancing. But, we’re going to have better authentication on the network, and in more cases we’ll be able to have better attribution. And while we will never be able to do complete attribution, there are always sophisticated adversaries who can avoid the security techniques we put in place. The fact is that by having a more robust and better-authenticated network, we can drive the noise level down.

Right now, there are so many attacks; it’s very hard to weed out the sophisticated ones from the ones that aren’t. And with better authentication, we can reduce identity theft, reduce financial crimes, drive down a lot of the noise on the network, and focus our resources on those really intractable threats. But, in those cases where we can do better attribution, it ultimately occurred to me that countries do not need a cyber-security strategy. They need four. And the reason we need four is because we have different problems with different kinds of solutions, and when we munge them all, the problems, all together, we can’t figure out what to do next.

So, here are the four strategies we really need, and the interesting thing is they’re all in different states of perfection, right. In some cases we know what to do. It’s hard to figure out how to do it well; in other cases we actually don’t know what to do. The first category is cybercrime. The reality is we have a strategy for cybercrime. We know what to do. The execution is hard. The strategy is to harmonize national laws, so there are no havens for cybercriminals. We know we need to build up capacity and capability in countries around the world. We know we need faster modes of international assistance, because most of these cases were global. Those are hard things to do, but we know how to do them.

So, that bucket is not overly complicated. The second bucket really relates to things like economic espionage and I would argue free speech, as well. There are areas on the Internet where countries have philosophical disagreements about normative behavior. For example, some countries think that the key to security is economic security, and therefore, they either conduct, or permit national industries to conduct, economic espionage. There are other countries that believe economic espionage is wrong, and that businesses should compete on a level playing field.

So, we have a disagreement between the countries. We also have disagreements over free speech. There are some countries that believe that Internet speech should be completely unfettered, for the most part — the U.S. is furthest along that continuum. There are a lot of countries in the middle that regulate more speech than the Internet, but are democracies, and have a lot of freedoms. You can look at the UK, France, Germany, Canada; they regulate hate speech and neo-Nazi speech that we would consider First Amendment protected. And then there are repressive regimes that regulate speech, because they’re trying to prevent people from organizing collectively, and taking positions that might threaten the government.

The strategy for when we had normative disagreements is also well known. There was a time when money laundering was not universally condemned, or weapons of mass destruction were not universally acted upon. When countries have those kinds of disagreements the strategy is to have discussions, figure out if you can identify the normative behaviors that people will support, agree to disagree on certain issues, and then decide what to do when you disagree.

So, you can make a good case for why economic espionage is just wrong. There is the fact that it is simply theft, but that doesn’t seem to convince a lot of countries. But, it’s also true that economic studies show that if you don’t protect intellectual property you’ll never create a robust intellectual property capital in your own country. And so like areas of money laundering, where at times banks recognize that money launderers needed a place to bank, too, and it was lucrative. You can actually reach agreements on what behavior you will sanction and what you won’t and then address it.

The third category is military espionage. We’ve seen a lot of reports in the paper about military espionage going on between nation-states around the world. I don’t want to be cavalier about this. It’s an important issue, but get over it. Military espionage has been going on for thousands of years; talking about it is not going to make it stop. Okay. There are also arguments supporting why military espionage is, in fact, a healthy thing to do. Why? Because when you can collect information on your adversaries’ real plans and compare that with what they’re telling you in diplomatic channels, you can verify whether or not they’re being truthful with you and you can actually avoid misunderstanding.

Now, the fact of the matter is that the Internet does change the face of military espionage in a problematic way. If you go pre-Internet, there was always espionage of this type, but it required high risk to the countries involved. You would put a spy in a foreign country, and they’d put spies in your country, and they’d be put at risk, and we’d arrest spies, and they’d arrest spies, and we’d go to a bridge in Berlin and we’d trade the spies. What the Internet allows you to do is take far more data at much lower risk and that’s, of course, a big difference.

And then the fourth bucket, which is somewhat – probably the hardest right now, is the notion of cyber-warfare. When I was in the Justice Department in the mid-’90s, I got criticized for a comment I made; I said, if you believe in the doctrine of information warfare, we’ve given weapons of war to people who are five. I got criticized on the theory that five-year-olds didn’t want to engage in war. I didn’t say they would engage in war. I said we gave them weapons of warfare. And that’s turned out to be true.

And the problem is, we don’t have a good taxonomy for working through these issues. We don’t know when cyber-war begins. We don’t know what the rules for conduct are, and we actually don’t even know when it’s over. We also don’t know who is committing it, and whether it’s actually a nation-state that commits war. So, you might recall, and it’s been in the news recently, because of these TSA scanners, we had an incident in December where an individual tried to blow up a plane and it landed in Detroit. In the arrest of this individual, there was a discussion about whether he was an enemy combatant, or whether he was just a criminal. It was relevant on the issue of whether he got his Miranda warnings or not, warning him about his right of self-incrimination, and right to a counsel.

Now, as it turns out, that individual had some training by Al Qaeda overseas. But, of course, there’s no requirement that if you want to blow up a plane you have to have any formal connections with Al Qaeda, or any formal training. You might just be sympathetic and want to blow up a plane. And if we treat those people as enemy combatants, then it becomes really interesting, because now you basically say a nation-state can go to war with an individual. It’s the United States versus Joe Smith, right. Then if you give Joe Smith a computer, now you can have asymmetric warfare between an individual and a country.

You might remember (I think it was 1988 roughly), a Korean passenger jetliner strayed into Russian airspace and was shot down. For a short period of time after the shooting, the Russians had denied any involvement, and then they admitted they had shot down the Korean jetliner. This came as a surprise to no one. Why? Because individuals don’t have access to fighter jets. Okay. If a fighter jet takes down a passenger liner, there’s nation-state activity. It could be a rogue employee, but there’s a nation-state breakdown of some sort. But in the Internet, that’s not true.

As we think about the things we’re doing, like building the cloud, we have to understand that there’s this threat model that’s lying behind all this stuff. If you’re either an individual or a nation-state and you want to engage in cyber-warfare, would you think about leveraging the power of the cloud? Let me think about where the data that is interesting to me may reside, and let me think about what parts of the cloud I might want to not only attack, but to breach the confidentiality of information also. Let me also think about how I map that cloud, so I can find the data I want. Maybe I can have my target, the person I’m interested in, the organization I’m interested in, and maybe with a little tweak I can route their data to be stored in my country. And then I can access it locally Wouldn’t that be convenient?

So, we have this threat model, and it’s real, and we have to think about it. Then start thinking about the cloud, and NIST did a great job of getting us off on the right foot by giving us some definitions about how to think about the layers of the cloud, the infrastructure, and the platform, and the software and service. And we’ve started with that, and then we, of course, started thinking about what these cloud models look like. They may not all be public clouds, of course. You’ll have private, you’ll have hybrid, you’ll have community clouds — where people of like interests get together and share space.

Based on that, of course, I started thinking about Microsoft’s own transition to the cloud. And to some extent, I realized that the cloud was in some ways more evolutionary than revolutionary, in the sense that we’ve certainly had software as a service since the company bought Hotmail way back when – and that’s a classic software-as-a-service paradigm. But of course we’re also building cloud infrastructure, based on Global Foundation Services, and then we build up the stack as we think about what the services look like.

So, you’ve got that infrastructure layer, which is GFS. And then you have the platform layer, which is the operating system, the Azure part, and the services we put on top of that. And on top of that, we bring to people the applications. And I know John Howie and Mark Estberg will have a presentation tomorrow, a session on the GFS, the Global Foundation Services. But, clearly, as our CEO Steve Ballmer said, “Look, we’re all into the cloud and we’ve been rolling out more and more cloud services.” However, the questions about how you secure this cloud and provide enough robust security in this new model of computing are really challenging.

And like many other organizations we participate in, we look to the Cloud Security Alliance for guidance and it has been super helpful. Of course, they’re not on version 2 of the critical areas of focus, thinking about both architecture operations and governance. And I’ll talk more about these in a minute and highlight some of the areas where I think we will have to do a lot more work and be a lot crisper to be successful. And then, of course, there’s the guidance for application security as you go up the stack and you start thinking about the security of the APIs and the security of the applications, and how we do secure development for the cloud. And of course, this is about building the cloud and making it secure, but you can’t do that in a vacuum.

The Cloud Security Alliance also focused on some of the top threats. It was actually when I was reading these top threats that led me to think about: what is the threat environment and what are the instances in the threat environment? More specifically, how are we going to think about the broader threat environment in this shared and integrated domain we all live in? All of these threats are important ones, and serious ones, but I suggest that as we tackle specific threats we also have to up-level ourselves a bit and think about the bigger picture.

I now want to talk about some of the implications of the cloud, some of which, of course, reference the Cloud Security Alliance work, but other ones that need special focus. Clearly with the cloud, there’s a shared accountability and responsibility for security and privacy. It’s really a shared risk management model. And one of the challenges for organizations that are embracing the cloud is figuring out where the borders are. What does the customer own and what does the cloud provider own? And how comfortable will organizations and individuals be? I’ll come back to that in a little bit — how comfortable will organizations and individuals be with their loss of control?

I meet many people, as I’m sure you do too, who would much prefer to drive than fly because they believe that driving is safer. Statistics are irrelevant. They would rather drive. Why is that? I mean, 80 percent of American drivers also think they’re better than average, but that’s another problem. (Laughter.) The reason I suspect that people prefer to drive than fly is they feel like they’re in control of the vehicle. They control their fate. And when you’re flying, you have no control, and that’s just kind of scary. If something goes wrong, you can’t do anything about it. People love a sense of control.

You know, after 9/11 happened, remember what Secretary Ridge said: “People should go out and buy duct tape.” And all the psychologists said, yes, that’s a great idea. It made people feel better. The terrorists are coming. What am I going to do? I’ll go to Home Depot. That’s what I’ll do, because people want a sense of control that their fate is not predetermined and out of their direct influence, and so they’d rather drive than fly.

But the cloud is all about that, too, in a way, because what we’re asking people to do is saying, give up your sense of control. Some people think they’re in control, but they may not be doing a great job of it, just like many people are not great drivers, but they have to give up their sense of control and pass it to the cloud provider. And that creates real challenges for compliance, particularly in regulated industries that are going to want to pass some things to the cloud that their regulators are not going to give them a pass on meeting regulatory requirements. So, how we balance those responsibilities and accountabilities are going to be challenging.

Co-tenancy is going to be interesting. Data aggregation is a great thing for a host of reasons. I mean, that’s what enables the cloud to scale and be dynamic. And, interestingly enough, Microsoft just published a paper looking at the “greenness of the cloud,” one of the things we looked at through my responsibility with environmental sustainability at Microsoft.. As it turns out, the cloud has many green properties to it. By aggregating data in data centers that are well run for efficiency, you’re able to drive the cost down of energy and actually get huge green benefits. So, there are a lot of reasons to move everybody into the cloud.

But, at the same time, when you aggregate data, you create a rich target. I knew a lot of people over my 20 years in this business who worried about keystroke loggers taking their credit card number, and yes, that can happen on occasion. But if you were a bad guy, would you want to steal credit card numbers one at a time, or would you want to access the database where hundreds of thousands of credit card numbers are stored? Of course you’d go for the rich targets.

And in that environment, there’s also going to be the problem where, when things go wrong, how are we going to do the shared investigations? For example, you may have data laws. Let’s take a real case and twist it a little bit. The real case is, you might have seen about a year ago, a hospital in Atlanta had an extortionate threat. A hacker claimed to have taken health records from the hospital, posted some of them, or transmitted some of them to the hospital to prove he had it. And said, hey, you have to pay me, and if you don’t pay me I’m going to disclose more sensitive PII. And the hospital, recognizing they’d be paying in perpetuity, just went public with the case, and called law enforcement, and the like.

But let’s put that in the future, and say that the same scenario happens, but the hospital is using some other cloud provider. Now, you can just see the discussion. The hospital says you lost my data from your cloud. The cloud provider says, no, we didn’t lose your data. You must have not managed the pieces that you had to manage, like authentication. Maybe you have a disgruntled employee, whatever the case may be. And suddenly you have a dispute about how did this data actually leak? Well, let’s investigate it. Let’s go look at the logs and everything else.

And the cloud provider says, we’ll do an investigation, look at the logs, and figure out what happened. And the customer might say, I don’t think so because you’re going to absolve yourself of any responsibility and put the blame on us. We’d like to come in and do the investigation. And the cloud provider says, well, there’s a problem there because it’s a multi-tenant environment and we can’t let you look at the machines to see the data of the other tenants.

How are we going to do this? Well, we could get a third party to come in; that’s something we can do. Let’s get an independent third party who is going to walk into a complicated cloud infrastructure and start parsing the data. One of the things we learned in law enforcement was that law enforcement agents couldn’t actually investigate cybercrime in the conventional way. In the conventional way, you find a dead body on the street, the police come in and they dust for fingerprints on nearby doorknobs. They interview witnesses. They take blood samples. They do the work.

In the IT environment, the lead investigator was the system administrator of the victim. Why? Because who knows what logs they’re running, and where to find them, and whether they could have been altered; the system administrator, not the law enforcement agent. So, you can say we can bring in a third party to investigate, how is that really going to work? It’s going to be complicated.

Information aggregation in the cloud is going to put new pressure on identity. Why? Because 20 years ago, if I lost my identity, my user name and password, you got my mail account. Today, if I lose my user name and password, just using my own company, Microsoft, as an example, you get my mail account. You also might get my Zune account, and Xbox accounts that have credit cards on file. You might get my HealthVault account that has my medical records stored in it. As we aggregate all this data in the cloud, what is the key to accessing all of the data, your user name and password? That’s not going to be sufficient.

And there’s also going to be questions about, in some context, how the cloud provider can use the data that they have in their cloud. In the enterprise space, there will be service level agreements, and you have lots of lawyers on both sides, and they can negotiate these things. But what about in the consumer space? Consumers click on terms of service. We know they frequently click okay on all sorts of things without reading them. What is going to be the appropriate use of this aggregated data by cloud providers, which is going to be an interesting topic?

And then we have to think about the implication of global data flows, and a shift of the balance of power between the individual and the state. Why do I say a shift of a balance of power? Because historically, we have put mechanisms in place that protect individuals from the power of the state. And in the cloud world, that is going to change in dramatic ways.

For example, if you have data on your PC that’s sitting in front of you, and I, as a law enforcement agent, want to seize that. I have to have a search warrant, or I have to subpoena documents. And if I subpoena it, you can move to quash the subpoena. But if your data is in the cloud, I can go to the cloud provider to get the data. The Supreme Court has already held that the Fourth Amendment doesn’t cover information that you turn over to third parties, that’s Smith v. Maryland. And, as a result of that, law enforcement can just go to the cloud provider and say, give me all of this person’s data, here’s a subpoena.

And, yes, the cloud provider could fight that subpoena. Do you think the cloud provider will spend time doing that? Why do they care? And, of course, this problem is going to be exacerbated by global data flows, countries all over the world will be wanting to access data, particularly of their citizens.

And I will give you a true story in this regard. Back in the mid-’90s, when I was chairing the G8 subgroup on high-tech crime, one of the things we were talking about was this issue of trans-border search and seizure. Could law enforcement agents in one country access data in another country? And we went around the room for the eight nations, and there were some very interesting opinions. Germany said no, you can never come in our country. The Russians said no, you may never come into our country. The British said, well, maybe there’s this idea of virtual presence. If we can reach it, we should be able to reach it. The French said no, you shall never come into our country and, by the way, the Internet should be in French. (Laughter.) And then the Italians said that’s very interesting because I’ve actually been searching your countries for years. He says, I arrest people in Italy. I go on their machine. I take their data. If their data is in France, I take their data.

So, we had this big discussion about this, and the issue was how are we going to deal with these global data flows. And we were doing other things, principles for law enforcement cooperation, 24-by-7 points of contact, things that are now embedded around the world, but we kept coming back to this hard issue of trans-border search and seizure. And when you’re doing those things, you try and take even extreme scenarios to see where are the limits.

One scenario was: suppose you arrest someone in a country, and they say they have a flight number on their computer and that flight number is the flight with a bomb on it. And the agents have to access it right away, but it’s in another country. And the Russians said, then the plane has to explode. They said, look, we have constitutional principles, and you can’t violate the constitution just because you have an emergency. And to some degree, we have that too. We have an exclusionary rule. We sometimes let people who are clearly guilty go free because we’re trying to protect some higher value.

And so, we’re having this discussion, and one month we’re going around the table, and the French say, actually, there might be times when a trans-border search would be okay. You could hear a pin drop. Everyone was just flabbergasted. I’m the chair. So, I’m not part of the U.S. delegation, I’m the chair. So, I said to the French delegation, I’m sure all the members would be interested to hear about this change in position. And they said, we have not changed our position, you may never search our country. But there might be times when maybe we should be able to search other countries.

So, one of the things you learn in international diplomacy when that happens is call a coffee break. So, I did. And I went to talk with the French offline, and I said, basically, what gives? And they said, look, we were investigating two French citizens in Paris for a violation of French law. And we went to AOL, and we asked them for subscriber data, name, credit card number, all that. They gave us that. Then we asked them for their e-mails, and we got back a letter from the FBI saying, we’ve received your request for mutual legal assistance. We didn’t request mutual legal assistance from the FBI. We just told AOL to give us their e-mails.

And I said, see, the problem is all of AOL’s mail is stored in Dulles, Virginia, and it’s covered by the Electronic Communications Privacy Act, and they can’t disclose it without a court order. And the French said, now, explain to us why if we’re investigating two French citizens for a violation of French law we can’t get their mail without the FBI? That was their change in position, right.

And so this is going to be really huge in the cloud space, because we’re going to create data centers all around the world in part for less latency and faster speed, and in part for you as you don’t want all your data centers in a hurricane zone, or an earthquake zone. There are a lot of reasons for geo-dispersion. There will be geo-dispersion in part because for certain industries or certain governments, you’re going to have to have local storage if you want to play in the game.

And so what does this mean for the shift of the balance of power, not just between the individual and their government, but an individual and other governments? How many Americans have really thought about whether the French can access their data, or the Germans, or the Russians, or the Australians, or anyone else? And so this is going to be a huge change.

So, what comes next? As we think about these problems, and the principles, and the things we’re thinking about in security and privacy. There has been a lot of focus on critical infrastructure protection. There is a lot of debate about what critical infrastructure is. Part of my day job is to co-chair the CSIS Cyber Commission, and we ultimately limited ourselves to four critical infrastructures: government, power, telecommunications, and banking (or financial). And there was even a rich debate about whether banking and finance was really critical infrastructure in the sense that it’s a user of the infrastructure.

We had this robust debate about banking and finance going down and we said, well, the whole banking system did just go out, and we’re still going. And the military won’t stop fighting if they don’t get their paycheck. But one of the things we did conclude is that when you have too many critical infrastructures and when you’re trying to protect everything, you don’t get enough focus.

So, we focused on four critical infrastructures. But it’s not just about critical infrastructures. It’s really about how IT has become the critical fabric for everything we do. Just imagine your life now without the Web, without e-mail, without SMS, without all of these technologies. In this new world, where it’s not just governments and enterprises that are saying, oh, this is critical to our business, but rather it’s becoming critical to a way of life. What should we be thinking about? And what should we be worried about?

Well, expectations of availability. The whole theory about the cloud is that it’s ubiquitous computing, three screens and a cloud. You’ll have small devices like phones, you’ll have midsize devices like PCs, and you’ll have large devices like TVs that will be connected to the cloud all the time. And you will always have availability. The question is, can we really meet those requirements?

Second, ubiquitous sensors and devices – the Internet of things. Everything will be recorded or collected in some way, shape or form. Just think about what the smart grid means. It’s really interesting to watch the evolution of the smart grid. We have two major problems. One is, we have global warming, and we need clean sources of power. It’s all about electrons in this context, and the problem is the places that have sun, like Florida and California, and the places that have waves, like the East and West Coast, aren’t always where you need the power. And we have big transmission problems.

But we also know that we can manage energy much more efficiently. And so there’s a TCP/IP standard for appliances, and we’re going to have smart meters, and everything else. And that smart grid is really going to be accelerated by electric cars.

It’s interesting, the Chevy Volt is coming. The Nissan Leaf is coming. Everyone is really excited about the electric cars, and the car dealers are promoting them, and there are tax credits. So, let me ask you just a little question. If everybody drives home in their electric car at 5:30, and plugs into the wall at the same time, what happens? That’s right, the grid falls over. It wasn’t built for that.

We provide electricity like we always have. We generate when there is demand. But our generation capabilities are not unlimited, and you’re talking about plugging in millions of high-voltages appliances at the same time every day. That will be fun.

So, how are we going to manage that? Well, you can manage it with software, for example. You can say, well, I have access to your calendar, and you’re going to the symphony tonight at 7:00, and you just got home at 5:00. I need to charge you for an hour or you’re not going to be able to get to the symphony. But your neighbor, well, your neighbor is not going out until tomorrow morning, so I’m going to charge it at three a.m. That will reduce the load on the grid, and also mean the electricity will be cheaper for your neighbor.

But all this stuff is going to be sensored, right, and recorded, and calibrated, and analyzed. How many of you have GPS? And there will be a value proposition for this, but everywhere you go you can be tracked, and we know where you are. And there’s a split in the courts about whether GPS tracking of this sort violates the Fourth Amendment or not.

But with these ubiquitous things, your whole life will be recorded in one way, shape or form. And that might be great, but computers never forget anything, and everything is searchable. If you’ve ever had a transgression when you were 15, and then 10 years later no one knew about it. They’ll be able to find it. Everything will be recorded, and everything will be searchable.

What does that mean for society? Is that a good thing or a bad thing? Or maybe it’s just completely full circle in a way. So, my mom grew up in a little town near Port Jervis, New York. She said, it was a little town, everybody knew everybody else’s business. When she was in high school, she told me when Mary went to visit her aunt for a few months, everyone knew she must have been knocked up — why else would you go visit your aunt in the middle of a school year for a few months. And then she came back with her baby. And then she moved to New York City. Eight million people, no one knew who she was, right? Well, now everybody can know again.

But, these are major social shifts about how we view ourselves in the world, what information is going to be available, who can get it, and with what levels of protection. What will it take for me as a marketer to know every place you’ve been and what you like to do? What does it mean if the government wants that data, because they can do other things to you, like put you in prison? This is going to be an interesting world in that respect. There’s going to be persona aggregation and disaggregation.

You see it already in places like Facebook. You just read these articles in the paper. They’re fascinating. Somebody has a wedding, they marry their significant other, and because they’re gay or lesbian, somebody might say, hey, I saw your wedding pictures and they’re shocked. That was my Facebook page. That was my private space. I didn’t know people at work were going to look. It’s public, right. And at the same time people are starting to disaggregate their personas. They want multiple personas. They want personal personas and business personas, but how does the GPS know which persona it’s tracking?

What does this mean to us as people when our whole lives are open books? And can we compartmentalize parts of our life. Can we keep our home life separate from our work life when the technology munges it all together? And to what extent will we build tools that say, hey, do you want to access the cloud and in what persona do you want to access the cloud? What things do you want to be able to see and what things don’t you want to be able to see? And if you want to pull all these things together, can we provide it to you so you can pull it together, but other people have a harder time doing that. We don’t know the answers to those questions, of course.

And business model evolution is going to drive a lot of these changes. I grew up in an age where you watch TV and people just threw advertisements at you. I was six and they were trying to sell me a car, right, but not anymore. Now with targeted advertising it’s a very different world. You can actually profile me through my activities, through the movies I download, through my GPS. Why? To give me a better value proposition, then you can send me ads that are targeted to me? And that’s, in theory, good for me because it doesn’t waste as much time and I get more value out of those interactions. It’s certainly good for the marketers because they can monetize their activities better, and that also is arguably good me. Why, because that ad-based model provides me with a lot of free services? The reason I can have free e-mail and the reason I can have lots of free storage is because in part it is funded by advertising. And if that advertising is more effective, then people can put more investments in the infrastructure and give me a better experience.

So, you could argue it’s a virtuous cycle, but not everybody feels that way. Some people feel that, you know, general advertising was good enough. I don’t want people tracking my activity. I get this creepy feeling when I go to a website I’ve never been and they say, here are the things we think you would like, because they’re doing predictive advertising. And that gives people a lot of creepiness. And ultimately the balances that we choose to strike in the world ahead between these security issues of securing the cloud and securing CIP, and the privacy implications of these decisions, are going to be used. And they’re not going to be cleanly worked out.

There’s going to be a lot of different parties with a lot of different points of view. There will be market drivers like business evolution. There will be government drivers like regulation and changes to EU privacy directives with accountability principles and other kinds of things that are being floated. It’s going to be really a mish-mash for quite a while, and if you want a great example of that let me close by just reminding you to look at what’s happening now when you go to the airport and look at these X-ray scanners and the backscatter scanners. And in particular the public’s reaction, because it’s a very interesting dynamic to see the way these things play out. On one hand, increasingly people are uncomfortable with the use of technology to provide transparency into them.

They don’t want to be naked at the airport and they worry about the health implications of some of these technologies. And this is in a situation where people fully grasp the risk. People know what explosives are. They know what it means for a plane to blow up. They get that part of it, but still many people think that the line has been crossed into too much invasion relative to the security benefits. In the cyberworld, the risks are not intuitive and not grasped by a lot of people. And the security that we put in place are really not well understood either. Most people have no idea how much surveillance is actually done on the Internet. Most people don’t understand how targeted marketing really works. It’s actually quite complex. There are publishers and there are advertisers and there are ad networks.

And you can collect all sorts of information, both online and offline, and aggregate it to figure out who people are and what they’re interested in. And there’s contextual advertising, which looks at what you’re doing and renders an ad. There’s behavioral advertising that looks at what you’ve been doing in the past to figure out what you might want. And there’s predictive advertising that looks at your behavior, but then looks at other people’s behavior and says, wow, if other people went off and did foo, you’ll probably go off and do foo, too.

These models are very complex. They’re not always well understood by the public at large. And so, how we frame this discussion is going to be critically important to getting intelligent choices in the policy decisions we make and in the technology we build. At the end of the day, there is a combination of things we have to do. One, of course, is you want the right social policies in place. Technology should not dictate social policy. The fact that something is technically doable – I can X-ray you at the airport, it doesn’t necessarily mean you’ll want that to be the policy.

But, even after you design the policy you have to make sure that the technology aligns to the policy that you’ve just enacted. So, Congress passed laws to protect children online, in part by doing age verification on the Internet. The problem is the technology didn’t support age verification on the Internet. So, you had a great policy objective, but no way to technically implement it. And sometimes you have both the policy right and the technology right, but the economic model is wrong. It’s not sustainable. And therefore nothing happens. And getting this right alignment between policy, IT capability, and economic viability is going to be key as we think about these issues going forward.

So, thank you very much for your time this morning. I hope that this presentation will help inform your work, not only over the next couple of days, as you’re doing and thinking about the cloud, but as you go back and just think about how we are basically transforming the world. Thank you very much.

END