Good afternoon. I ve got bad news from Washington: Politicians are working on your issues.

Size: px

Start display at page:

Download "Good afternoon. I ve got bad news from Washington: Politicians are working on your issues."

Damon Powell
5 years ago
Views:

Good afternoon. I ve got bad news from Washington: Politicians are working on your issues. Be afraid. Be very afraid. If for no other reason, be afraid because they are afraid.

1 Good afternoon. I ve got bad news from Washington: Politicians are working on your issues. Be afraid. Be very afraid. If for no other reason, be afraid because they are afraid. Talking to politicians is part of my job. These days, I hear a lot of concern. They read the newspapers; they talk to voters; and they have questions: About what happens to personal information online. About data breaches. About foreign espionage. So: While you re looking for the best ways to secure your corporate networks, they re looking for answers through law and regulation. The problem is legislation doesn t move at the same speed you move. Or with the same logic. And you have to multiply that problem by almost 200 because countries around the world are all working on these same issues. I talk to government officials from Brussels to Beijing. I can tell you they all have their own distinct points of view. And they all have their own policy solutions in 1

2 mind. Today, I want to show you what that means for the international marketplace. I want to focus on the cloud computing market, because it represents the most important growth area in IT right now. (It will be a trillion dollar market in the next couple of years, according to IDC.) So I am going to give you a preview of a new report BSA is releasing next week. It benchmarks laws and regulations affecting the cloud in 24 countries that make up 80 percent of the global ICT market. And the study shows something all of us should be worried about: Governments are starting to chop up the cloud Mismatched privacy and security rules are making it hard for data to flow across borders. International service providers are being locked out of local markets. And this is undercutting economies of scale that could benefit everyone. So I m going to cover three things today: First, I m going to show you what that patchwork looks like. Then I m going to show you who are the leaders and laggards when it comes to privacy and security policy. I ll wrap up by suggesting how we can make the marketplace work better before it falls apart completely. But before I get into the details, let me give you a mental image 1

3 Imagine a cloud market where data moves across borders the way people do: Customs checks instead of fiber optics for ones and zeros Long lines, backing up the flow of information Politically, that s what we need to prevent. 2

4 I spend a lot of time talking to companies. In the past few months, I ve had meetings in the Valley, in Virginia s tech corridor, and in India. I hear over and over again that people are worried about market barriers. Companies want to reach customers all over the world. They used to do it by shipping products in boxes. But more and more, they re using data centers to deliver services through the cloud. Most companies say it doesn t make financial sense to put data centers everywhere. They need to pick strategic locations for entire regions. And that doesn t work when laws and regulations act like virtual walls and fences. 3

Here s the patchwork landscape we have today when it comes to cloud: Countries like Japan, Australia, and the United States (shown in green) have solid policy frameworks.

5 Here s the patchwork landscape we have today when it comes to cloud: Countries like Japan, Australia, and the United States (shown in green) have solid policy frameworks. We analyzed them on things like privacy, security, cybercrime, and trade. They all get good marks. Others, like Indonesia and Brazil shown in orange have a lot of catching up to do. We published our initial Scorecard last year. It was the first time anyone had done this kind of analysis. Next week, we re releasing a new edition. So it will be the first time anyone has tracked how the policy environment is changing. The encouraging thing is a lot of countries are lifting their games. But some are stalling. And some are taking steps that undermine the cloud market. They re effectively unplugging themselves from the rest of the world. Countries Lifting Their Games To see how countries are lifting their games, the best place to look is Asia. Japan stands out as the leader: It balances privacy and security concerns with innovation 4

6 and growth. It has strong intellectual property laws and great IT infrastructure. It set the pace for the world last year, and that hasn t changed. But the country that has done the most to improve itself is Singapore. On our map, it s a small, green outpost in an orange region. It has a new privacy law that gives consumers confidence their data is protected. It also gives businesses flexibility to innovate. Countries Stalling The place we re seeing countries stall is Europe. Think of this as an Olympic sprint: All six of the European countries in our study came out of the blocks quickly. But they re not pushing for the finish line. So their scores are holding steady or slipping while others are passing them. Countries Undermining the Cloud Stalling like that is one thing. But we re also seeing some countries actively undermine the cloud: Korea is drafting legislation that would tie up foreign cloud providers in red tape. Other Asian countries are telling cloud services, If you want to do business here, then you have to set up data centers here. And from Indonesia to Brazil, countries are restricting the flow of data across borders. That s no way to run a global marketplace. 4

7 Here s another way to see the consequences of chopping up the cloud: Compare policy scores to market size. This chart shows the best policies on the right side of the scale and the biggest markets on the high side. The gap down the middle is a problem. It s a big market barrier. Countries with bad policies can become too risky to enter. Over the long term, we have to bring them up to a higher standard. Otherwise, they will be a drag on the entire cloud economy. But before we can fix the patchwork problem, I think we have to take a close look at some of the key issues 5

Trust and security are probably the most important issues for cloud computing. Without the right assurances, consumers lose confidence in online services.

8 Trust and security are probably the most important issues for cloud computing. Without the right assurances, consumers lose confidence in online services. But by the same token, a heavy hand can hurt business growth. So our study looks at 10 different aspects of privacy policy and five aspects of security: Threshold questions like whether there are laws in place for personal information. And detailed questions like the scope of the law and how it works in practice. Leaders and Laggards This chart shows who s ahead and who s behind: Japan is number one, just like it is in the overall rankings. Korea ranks second. But that won t last if it goes through with tying up cloud providers in red tape. And the United Kingdom is third. I mentioned that Singapore has jumped way up in the rankings because of its new privacy law. But Singapore s neighbor, Indonesia, is a cautionary tale. It has made noteworthy improvements in its privacy policies. But those have been outweighed 6

9 by how it s rigging the cloud market. If you want to provide cloud services in Indonesia s public sector, you have to put data centers there. Companies have to register with the central government. And, in some cases, you have to hand over source code. These kinds of policies are a big problem. They signal risk. Instead of investing in a market, companies might ask, Why bother? And when I talk to government officials around the world, some say that s the point. Case In Point I was on a panel in Europe where a high ranking German official said, candidly, We don t see the need for a worldwide cloud system. He said restrictive data laws can be a competitive advantage for Germany. You hear that Brussels, too. It comes up in the debate that s happening around the revision of Europe s Data Protection Directive: People see it as a chance to box out Silicon Valley. They want to reboot the technology market. To start fresh. They want a new competition with new rules for their players. 6

So how do we create a more level playing field for everybody? The short answer is: Build more bridges and knock down market barriers. It s not that simple in practice, though.

10 So how do we create a more level playing field for everybody? The short answer is: Build more bridges and knock down market barriers. It s not that simple in practice, though. In our report, we lay out a seven part formula. It covers everything from infrastructure to intellectual property. But let me keep the focus on issues of trust and security: We don t need everyone s laws to be identical. But they all have to promote good data stewardship while also enabling digital commerce. And there are different ways to do it. Compatibility on Privacy Take Europe and the United States. Conventional wisdom says we are more than just an ocean apart in our approach to privacy. But the truth is we share common principles. Yes, Europe has a comprehensive Data Protection Directive. And yes, the United States has a series of more targeted privacy laws for your health, for your finances, for children We also have FTC enforcement of voluntary agreements. And we have the Fourth Amendment. So the European and US systems are quite different on paper and both of them 7

11 have strong supporters and opponents. But at the end of the day, both systems uphold individual liberties. And both ensure there s commercial rule of law. Bridging the Divide The two systems could certainly be more cohesive. In fact, they need to be. But one side shouldn t have to move closer to the other. There are things both need to do. Europe is implementing its Data Protection Regulation so it applies universally to all member states. That process creates an opportunity: First, Europe should adopt a context based approach to privacy: Tight safeguards for sensitive data. More flexible rules when there s little risk of harm. Second, Europe should embrace the principle of technology neutrality. Mandating specific approaches to security would smother innovation. Finally, the EU needs a harmonized set of data protections for all of its member states. That way, Europe can operate as a true single market. Done well, it would provide legal certainty for businesses and consumers alike. There are things we should be doing in America, too. The best example would be reforming the Electronic Communications Privacy Act. We ll hear more on that in the next panel. But the big picture is: We need clearer, simpler standards for the way law enforcement gets access to personal information. should have the same protections as paper in a file cabinet. To get either one, the government should have to get a search warrant. That same standard should apply for tracking a cell phone. And prosecutors should have to convince a court that real time transactional data is relevant to an investigation. Those kinds of reforms would be one way to demonstrate to Europe that America s privacy laws offer similar protections to theirs. Compatibility on Security Let me turn to security: We can improve compatibility there, too. Europe is currently working on a Cybersecurity Strategy. The bedrock principle should be: Only regulate truly critical services not a broad universe of online activity. That would be a burden for business, and it wouldn t help the public. Second, there 7

12 should be a consistent standard for notifying people when there s a data breach. Finally, as in all things, technology mandates are a bad idea. Companies need flexibility to develop new solutions to rapidly evolving threats. In the United States, we need to pick up where we left off in the last Congress. The House passed a bill to promote sharing of threat information between the public and private sectors. The Senate had a bill almost to the finish line but couldn t get it done. So last month President Obama issued an Executive Order, which was his down payment on legislative action. Congress should move quickly to supplement it by passing an information sharing bill. We also need to reform how the federal government protects its own IT systems. We need to increase cyber R&D and promote cyber education. And we need to foster better international cooperation. 7

Getting all this done will take a lot of work. But I m optimistic. At BSA, we are determined to knock down any barrier that stands in the way of a truly global cloud. It will take your help, though.

13 Getting all this done will take a lot of work. But I m optimistic. At BSA, we are determined to knock down any barrier that stands in the way of a truly global cloud. It will take your help, though. In Washington, there is an old adage: If you re not at the table, you re on the menu. It s the same in the cloud economy: If the tech community doesn t make itself heard, then the cloud will get stuck in that long Customs line I showed you. Lawmakers need us to point them in the right direction. So, please: Watch for our report; it will be out March 7. Share it with friends and colleagues. Let s make sure everyone knows what is at stake. Thank you. 8