In 1811, some English textile workers, fearing changes to their way of life, took axe and sledgehammer in hand and went after the new mechanical looms coming into use during the Industrial Revolution. This attack on new technology because it was new and different (and therefore, bad) usually earned them the hangman's noose, but it also coined a new term. Members of this movement identified with a mythical leader known as General Ned Ludd and, thus, people who oppose technology because it's new and different are often known as Luddites.
So why I am giving a lesson on 19th century history? Because, on December 14, the Los Angeles City Council voted unanimously to modify their cloud email contract to keep the police department and city attorney's office out of the cloud and on an old in-house email system. Really? The LA Times story about the decision portrays this as a defeat for Google, which is the city's choice for cloud-based email, but I would argue this is a defeat for everyone, including the police, lawyers and the citizens of LA.
The story quotes the city's CIO, highlighting that the real issue is that the security rules are not compatible with the cloud environment. In fact, the staff report provided to the council states, "Although CSC does not have the technical ability to comply with the City's security requirements, it should be noted that the DOJ requirements are not currently compatible with cloud computing." (Note: CSC is the firm LA hired to implement Google cloud email.)
Now we are on to something. So, we have a technology solution that saves money (LA has already saved over $2 million, according to Google) encourages more mobility and telework, saves energy, and most importantly, is more resilient, but we should abandon it because the rules don't fit? Nope. We need to fix the rules. This is why people growl at Washington. We make rules to "fix" problems, but don't fix rules to make problems go away.
This is not a technical problem. Cloud-based email can be made secure enough for law enforcement, just as it has been for financial, healthcare and other business sectors. This is not a Google issue; Microsoft and IBM sell cloud-based email too, as do others. This, like many of the issues discussed in this space, is a policy and culture issue.
What we need is for the folks in LA to sit down with the folks at the Department of Justice in D.C., along with OMB, NIST, GSA, NSA, DHS and whomever else they need to solve this problem and find a set of criteria that protect the sensitive data, but are compatible with the march of progress. Not in six months or a year from now, not "sometime in the second quarter of 2012," but before Christmas. This Christmas.
The folks at the European Organization for Nuclear Research (CERN) have the elusive Higgs boson (aka the God particle) cornered, but we are struggling with rules to secure email in the Internet? The problem is not the security and technology. The problem is that we too often let policy drive our needs, instead of our needs driving policy. So that's what I want this holiday season: rules that work for technology, not technology that work for rules.
I look forward to your thoughts and comments. You can email me at jsawislak@teleworkexchange.com or check out my blog at TeleworkExchange.com.
Follow Josh Sawislak on Twitter: www.twitter.com/jsawislak
Elaine Mah: What's Your Data Worth?
The LAPD's Gmail Fail | John C. Dvorak | PCMag.com
LAPD | Gmail | The Daily Caller
It's official: The LAPD ain't going to Google — Cloud Computing News
L.A. City Hall's Move To Google's Free Gmail So Far A FAIL; Could ...
There is another, deeper way to read the actions of those Luddites. It can also be argued that they were objecting to the mechanization of people, and the transfer of money from many small businesses to the pockets of a few industrial oligarchs. I detect a tone in your argument, suggesting that "the march of progress" is inherently good. Technology was supposed to provide security, ease, and leisure for humanity. Instead, in many ways, it has served to enrich a few at the expense of the whole, and bring humanity to the brink of ecological and economic catastrophe. That is not an indictment against technology, as much as it is, the use of technology. I don't have an opinion about cloud based email vs in-house. I'm only suggesting we take a more nuanced view about technology. With all the cancer that I am suddenly confronted with, in friends and acquaintances, most of whom are young, I don't think we can afford anymore, blind faith in technological progress.
www.offthegridmpls.blogspot.com
Good points. I am not an expert on the Luddite Movement (and have gotten some blowback from at least one Luddite group on Twitter), so probably a poor choice of headline. I will also stipulate that not all "progress" is good as there are plenty of examples of stumbles forward (e.g., asbestos, possibly PBAs, etc.). However, my main point is that not using a technology because the current policy does not allow it is foolish. Rather, we should look at the purpose and goal of the policy (in this case security) and rewrite the policy to allow technologies that meets the goal, even if it does it differently than was possible when the policy was written. So, I stick with my main thesis, even if I could have explained it better. Maybe someone should get me a book on Ned Ludd for Christmas.
LA says LAPD can't use Gmail because "DOJ requirements are not currently compatible with cloud computing". This isn't true. The Feds are actually trying to encourage cloud computing, not block it. The FBI operates a national criminal database that contains highly sensitive information on millions of people. It sets minimum security and privacy requirements that police IT systems have to meet before they can access the database. For example, email messages have to be encrypted, and outside contractor employees who can access the data (maybe in the cloud) must pass a criminal background check.
Google told LA it didn't want to meet these requirements, perhaps because they don’t fit its business model, which repurposes a consumer product for government users. There’s nothing wrong with that strategy – for the right customers it can be very smart and cost effective. But it’s not right for law enforcement, and it’s wrong to blame the Feds for what is essentially Google’s problem. There are other vendors out there (some smaller than Google) who serve the government market and have cloud apps that meet the FBI’s requirements.
Here's an AOL piece that explains the issue: http://gov.aol.com/2011/12/19/los-angeles-ends-google-apps-for-lapd-decision-bigger-than-you/