The U.S. government's admission this week that it has been engaged in large-scale collection of data on private citizens' activities was a revelation that brought considerable response from all points on the political spectrum. As there are already plenty of commentators extemporizing on the political and social implications of the news, let me focus on the technological implications, which I expect will be significant.
The first and most profound effect will be a serious reconsideration of the wisdom of putting data into the public cloud. The previous argument for migrating data and apps to the cloud was that cloud hosts, such as Amazon, Google, and Microsoft, are much better at defending their systems from hackers than most corporate IT departments are. This view is supported by the contention that those companies can afford to hire hundreds of security professionals to provide the necessary protection, vigilance, and intelligent response while most IT organizations can hire perhaps a few dozen, with no real ability to scale response in times of attack.
This argument, taken by itself, is still valid. However, it can no longer be taken by itself. A new dimension has appeared; namely, that the government can more or less at will see the contents of communications and data held on servers at cloud hosts. The important factor is that the government can gain this access without ever notifying the target company that its data has been copied to government servers.
However, a company that hosts its data behind its own firewall stands a better chance of being subpoenaed for access to the data. The subpoena gives the company the ability to review the request, contest any errors, or seek to limit its scope.
Private clouds are an inherently partial solution, however. Some IT operations must be outsourced. For example, very few companies host their own websites in internal datacenters. Websites are almost always hosted by specialist companies that can provide the full infrastructure and the large pipes. Likewise, financial transactions, especially in consumer industries, are invariably handled by third parties whose records can be subpoenaed as if transaction data belonged to the processor rather than the vendor. And so on.
If companies in greater numbers insist on private clouds because of the controversy, they will likely add universal encryption as a standard business practice. Such encryption which is costly, burdensome, and affects the performance of all transactions will become necessary not just because of the issues raised by government access, but as a defense to increasingly potent commercial and sovereign cyber attacks.
While five years ago, attacks against companies were mostly a scourge brought on by script kiddies and criminal gangs, the new waves of attacks are much more serious. State-sponsored cyber attacks from China, North Korea, and Iraq now have the goal of disabling businesses, rather than simply stealing trade secrets or customer data.
Earlier this year, for example, operations at several South Korean banks were frozen for several days by just such an attack, which was traced to the country's northern neighbor. Earlier, the Saudi-Arabian national oil firm Aramco suffered a disruption in operations caused by Iranian cyber warriors.
When you speak with security experts, they are concerned that corporations are still slow in preparing for such attacks. They see a pervasive sense of denial at many companies or, even more incredibly, a conviction that current security measures are sufficient. The release of the details on the government eavesdropping might well disabuse IT organizations of both notions. The threat is not so much getting caught up in a terrorism investigation, but rather that if the government gathers proprietary data or trade secrets in the course of an unrelated investigation, it has no obligation to the data owner to protect the data or accord it any special protection now or in the future.