In 1811, some English textile workers, fearing changes to their way of life, took axe and sledgehammer in hand and went after the new mechanical looms coming into use during the Industrial Revolution. This attack on new technology because it was new and different (and therefore, bad) usually earned them the hangman's noose, but it also coined a new term. Members of this movement identified with a mythical leader known as General Ned Ludd and, thus, people who oppose technology because it's new and different are often known as Luddites.
So why I am giving a lesson on 19th century history? Because, on December 14, the Los Angeles City Council voted unanimously to modify their cloud email contract to keep the police department and city attorney's office out of the cloud and on an old in-house email system. Really? The LA Times story about the decision portrays this as a defeat for Google, which is the city's choice for cloud-based email, but I would argue this is a defeat for everyone, including the police, lawyers and the citizens of LA.
The story quotes the city's CIO, highlighting that the real issue is that the security rules are not compatible with the cloud environment. In fact, the staff report provided to the council states, "Although CSC does not have the technical ability to comply with the City's security requirements, it should be noted that the DOJ requirements are not currently compatible with cloud computing." (Note: CSC is the firm LA hired to implement Google cloud email.)
Now we are on to something. So, we have a technology solution that saves money (LA has already saved over $2 million, according to Google) encourages more mobility and telework, saves energy, and most importantly, is more resilient, but we should abandon it because the rules don't fit? Nope. We need to fix the rules. This is why people growl at Washington. We make rules to "fix" problems, but don't fix rules to make problems go away.
This is not a technical problem. Cloud-based email can be made secure enough for law enforcement, just as it has been for financial, healthcare and other business sectors. This is not a Google issue; Microsoft and IBM sell cloud-based email too, as do others. This, like many of the issues discussed in this space, is a policy and culture issue.
What we need is for the folks in LA to sit down with the folks at the Department of Justice in D.C., along with OMB, NIST, GSA, NSA, DHS and whomever else they need to solve this problem and find a set of criteria that protect the sensitive data, but are compatible with the march of progress. Not in six months or a year from now, not "sometime in the second quarter of 2012," but before Christmas. This Christmas.
The folks at the European Organization for Nuclear Research (CERN) have the elusive Higgs boson (aka the God particle) cornered, but we are struggling with rules to secure email in the Internet? The problem is not the security and technology. The problem is that we too often let policy drive our needs, instead of our needs driving policy. So that's what I want this holiday season: rules that work for technology, not technology that work for rules.