Government Again Behind the Curve: Efforts to Implement Cloud Computing in the Public Sector

Gartner, a leading IT research firm, predicts that "by 2012, 80 percent of Fortune 1000 enterprises will pay for some cloud computing service, while 30 percent of them will pay for cloud computing infrastructure." But there's been far less progress in the public sector, according to recent report released by Vivek Kundra, Obama's Federal Chief Information Officer.

On July 21, Brookings' Center for Technology Innovation held an event called Moving to the Cloud: How the Public Sector Can Leverage the Power of Cloud Computing focused on how to improve the adoption of cloud computing in the public sector, including:

• Dawn Leaf, Senior Executive for Cloud Computing at the National Institute for Standards and Technology (NIST),
• David McClure, Associate Administrator of the Office of Citizen Services and Communications at the General Services Administration (GSA), and
• Katie Ratte, Attorney for the Division of Privacy and Identity Protection at the Federal Trade Commission (FTC).

Much of the discussion revolved around a recent paper released by moderator Dr. Darrell M. West considering what must be done to improve federal computing. Although the Federal government spends $76 billion on information technology and $20 billion on hardware, software, and file servers each year, it spends little on cloud computing—which is unfortunate for taxpayers, because of the potential cost savings and efficiency gains from cloud computing.

The panel and West's paper suggested several positive steps that could be taken by government:

1. There does not appear to be any expansion of government regulation, taxation or control over the cloud computing sector.
2. The security concerns are real, but manageable.
3. The private sector's embrace of the cloud highlights the benefits of cloud computing for the public sector.
4. Privacy issues are not made any worse for those individuals who store data in the cloud.
5. Over the long term, embracing cloud computing should lo.
6. The measures being taken aim to empower those who use the cloud to make decisions rather than government bureaucrats.

Each panelist, as requested by Dr. West, presented the actions being taken by his/her respective agency to support the adoption of cloud computing in the public sector.

Dawn Leaf discussed how NIST is providing recommendations and guidance to federal agencies on how to implement the cloud. The NIST mission, in her view, mandates that the agency encourage collaboration between the public and private sector to develop standards, define cloud computing, and develop the Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC) program. Although NIST cannot commit to a completion date for standards, SAJACC is on schedule to be ready by the end of the year.

David McClure surveyed federal cloud computing initiatives being undertaken by the GSA. Because of its mission, GSA sees its role as making government use of technology "cheaper, faster, and greener" through the use of apps.gov, and enabling government agencies to embrace the cloud. The characteristics, relative ease of mitigating risks, and benefits borne by those who use the cloud were all touted as reasons to adopt the cloud.

Katie Ratte discussed the advisory approach taken by the FTC to the emergence of cloud computing in the public and private spheres: the FTC does not back any specific technology but instead takes a flexible approach. The FTC roundtables on privacy issues have revealed the need to explore many of the same questions asked in other areas of technology policy, the impact of the cloud on citizens and businesses, and why so much discussion has turned back to the cloud.

There were four topics initially presented by Dr. West that reflected many of the questions asked by him and audience members: (1) government's inconsistency across computing platforms, (2) privacy rules and protections, (3) performance transparency, and (4) uniformity of standards.

Government's Inconsistency across Computing Platforms

There are different rules for different mediums (desktops, laptops, mobile devices and the cloud) and across branches of government, thereby creating vast inefficiencies across computing platforms that could be eliminated with the proper actions.

• How prevalent are clouds stretching across government agencies? McClure explained that this is already occurring but still needs to be jumpstarted in some instances. To accelerate adoption of the cloud, a business-like structure has been adopted to enable substantial cost savings. Once cloud computing is a concern at an agency, the GSA provides resources and personnel to help adopt the cloud in a way that is well-suited for that agency and its interactions with other agencies.
• What steps have the GSA has taken for migration of government email systems from the desktop to the cloud? McClure explained how it is economical and generally advantageous to take such steps. However, he would not reveal any specific actions being taken by GSA to help government agencies make this a reality.

Privacy Rules and Protections

Judicial rulings have given users of cloud computing less privacy protections than other mediums, a situation in which it is unclear whether there should be any distinction. There are also two chief concerns intimately related to privacy issues being raised by Congress: security and data protection.

• Could there be a BP-like incident involving a massive privacy breach from government systems in the cloud and, if this does occur, should a standardized government solution be implemented? There are actions being taken to prevent such a calamity, although such actions were not revealed by the panelists. Nonetheless, there is no one-size-fits-all approach, but government must take decisive and substantial action, in their view, if such a breach occurred.
• What can be done to avoid "too big to fail" apparatuses such as those in the financial sector? Because of this, there is a need to work more on security so that citizens understand how this environment works. Citizens will, therefore, be able to make decisions with proper knowledge to help prevent such a calamity from taking place.

Performance Transparency

A great sense of public trust could be created if performance data was publically provided on reliability, security, recovery time, maintenance schedules, and data archiving. This would resolve the lack of understanding of cloud computing among the public.

• What about ensuring citizens' access to information, as in the Open Government Directive? Implementing the cloud should not have any real affect on this directive.
• Is there a delay in implementation relative to the emergence of the cloud? The panelists agreed that more can be done to meet the demands of users without implementing burdensome regulations.
• Who should ultimately make decisions related to the cloud? Ratte believes that the role of the FTC is to facilitate discussion and issue guidance, as that is the scope of its mandate. Congress and the courts should, therefore, deal with the related statutes.

Uniformity of Standards

A more uniform certification process would create efficiencies and significant economies of scale in the process of adopting and using cloud computing in the public sector.

• What is the process for developing standards at NIST? Leaf explained how, rather than developing standards on its own, NIST facilitates development broadly with industry, academia and the broad public stakeholder's standards. She also spoke about how NIST cannot address all areas with standards—maybe a top 20 percent of standards can be addressed—and that there is little agreement on the highest priorities.
• Can portability standards avoid vendor lock-in? This question was answered with a pro-consumer message: agencies can and should identify to what extent the presence of cloud computing features meet their demands. The process undertaken by groups studying the issue should thus provide solutions to the problems being faced by government, businesses and citizens.

In sum, despite government taking a fairly sensible approach to the adoption of cloud computing, there are certainly costs accrued by implementing and using these technologies. It remains to be seen whether government agencies will take the necessary actions to minimize the costs borne by implementing and using the cloud, as they face a different incentive structure than private industry.

If adoption of the cloud occurs as outlined here, government should be more efficient and cost-effective. Although usually slower than the private sector to adapt, generally speaking, the best measures are being taken in the most appropriate way for government to utilize this technology. The hope is that the cloud will have the same transformative effect on the public sector as it has had on private industry in a way that does not further burden the taxpayer or compromise the privacy of those who use it.