The recently released summary of the U.S. government’s “black budget” showed that 35,000 people were employed and $11 billion spent annually in the Department-of-Defense-wide Consolidated Cryptologic Program. That’s a hefty sum, but it isn’t what I’m getting at.
Nor is this about security risks posed by the voluminous revelations of NSA surveillance and subversion of Internet standards provided by Ed Snowden, who has interpreted “See something, say something” in a novel way. Law enforcement and others will grimly warn us, as usual, that the surveillance’s exposure will soon have us hip-deep in drug traffickers, child pornographers, and terrorists.
No, I am wondering about the economic loss to U.S. companies caused by worldwide concerns about storing sensitive data where the U.S. government has easy covert access. And given the overwhelming U.S. dominance in the field, what will this mean for cloud computing in general?
We have been discussing the foreign concerns over the USA PATRIOT Act, especially from the European Union, in Learning Tree’s Cloud Security Essentials course for some time now. This summer’s revelations have greatly amplified these concerns. What will happen?
Daniel Castro of the Information Technology and Innovation Foundation has attempted to estimate the range of possible impacts in his interesting paper, “How Much Will PRISM Cost the U.S. Cloud Computing Industry?”.
As he explains, 41.5% of the investments made by cloud computing service providers in 2011 came from companies outside North America. Over the period 2012-2016, global spending on cloud computed is expected to grow by up to 100% while the global IT market grows only 3%.
The ITIF estimates a three-year loss over 2014 through 2016 ranging from $21.5 billion to $35 billion, depending on the U.S. cloud computing industry’s reduction in foreign market share to European and Asian competitors ranging from 10% to 20%. It’s interesting that the high-end estimate is pretty close to the annual cost of the Consolidated Cryptologic Program. Spend $11 billion in order to lose $11 billion, annually. If you keep that up long enough, you might start to notice an effect on national security.
Forbes and other serious financial publications have noticed and commented on the report. The Cloud Security Alliance surveyed its members back in June and July, finding that 10% of non-U.S. respondents reported having canceled a project with a U.S.-based cloud provider, and 56% said that they would be less like to use a U.S.-based cloud computing service. Of the U.S.-based respondents, 36% reported that the sudden public awareness of details of NSA surveillance had made it more difficult for them to do business outside the U.S.
E.U. governments are definitely upset. The German Interior Minister announced “Whoever fears their communication is being intercepted in any way should use services that don’t go through American servers”, the German commissioner of data protection and freedom of information said “The U.S. government must provide clarity regarding these monstrous allegations of total monitoring of various telecommunications and Internet services”, and a German Justice Minister called for a boycott of U.S. companies.
Meanwhile, still in Germany, the G10 act allows German intelligence officials to monitor telecommunications without a court order, and a 2012 IDC study concluded that “The PATRIOT Act is nothing special” and governments routinely use mutual legal assistance treaties to access data held by third parties.
What will come of all this? It will be interesting to watch.