Earlier this month The Information Technology & Innovation Foundation (ITIF) published a prediction that the U.S. cloud computing industry stands to lose up to $35 billion by 2016, thanks to the National Security Agency (NSA) PRISM project, leaked to the media in June.
We think this estimate is too low, and that the true potential cost could be as high as $180 billion -- or a 25 percent hit to overall IT service provider revenues in that same timeframe. That is, if you believe the assumption that government spying is more a concern than the business benefits of going cloud.
Having read through the thoughtful analysis by Daniel Castro at ITIF, we commend him and this think tank on their reasoning and cost estimates. However the analysis really limited the impact to the actions of non-US corporations.
The high-end figure assumes US-based cloud computing providers would lose 20 percent of the potential revenues available from the foreign market. However we believe there are two additional impacts that would further be felt from this revelation:
1. US customers would also bypass US cloud providers for their international and overseas business - costing these cloud providers up to 20 percent of this business as well.
2. Non-US cloud providers will lose as much as 20 percent of their available overseas and domestic opportunities due to other governments taking similar actions.
Bring your own encryption. If you hold the keys, the governments can't get to your data by going through your service provider.
Let's examine these two cases in a bit more detail:
You don't have to be a French company, for example, to be worried about the US government snooping in the data about your French clients. That's a worry any company, regardless of country of origin, should be concerned about.
Yes, if you are a US corporation you are subject to the US Patriot Act, but in this case the US government would have to subpoena you directly rather than going behind your back to your US-based service provider.
European Union rules require data about EU citizens be stored and retained in the EU. US corporations are subject to this rule just as EU companies, so seeking an EU-based cloud provider or non-cloud IT provider would be a prudent tactic for a US business as well. Outside the EU there are similar regulations, such as in Australia and Canada, that would warrant like behavior.
While this loss of revenue would be significantly smaller than direct foreign investment, the total could still add another $10 billion to the overall losses for this market. Not to mention the added expense to US companies who would have to work with multiple service providers around the world with different procedures, regulations and security standards. What fun.
The second impact is coming, make no mistake about it, and will be far more costly. It's naive and dangerous to think that the NSA's actions are unique. Nearly every developed nation on the planet has a similar intelligence arm which isn't as forthcoming about its procedures for requesting and gaining access to service provider (and ultimately corporate) data.
As stated in the ITIF report, German intelligence has the G10 act which lets them monitor telecommunications traffic without a court order. Forrester analyst Andrew Rose, in his blog, talked about a similar "legal" surveillance report from India.
Forrester maintains a privacy and data protection heat map of the globe that highlights which countries have clear rules (Caution) and those who don't (Alert) for government surveillance, data residency and other security rules of merit. While the US may be a place for caution, there are many other countries who should be looked at far more fearfully.
Short term, a greater understanding of this surveillance picture could have a chilling effect on all hosting and outsourcing services (not just cloud computing) in many countries. If it is to be believed, as ITIF estimates, that half the cloud market will be fulfilled by non-US providers, then assuming this factor has just as much impact as the PRISM leak will have on US providers, then non-US cloud providers would take a hit of another $35 billion by 2016.
Add in the rest of the hosting and outsourcing market, which, according to Forrester estimates is three times the size of the cloud market in this timeframe, and you now have a net $100 billion loss for non-US based service providers.
Add it all up and you have a net loss for the service provider space of about $180 billion by 2016 which would be roughly a 25 percent decline in the overall IT services market by that final year, using Forrester market estimates. All from the unveiling of a single kangaroo-court action called PRISM.
Scary picture but probably unrealistic.
Prior to today's media-hyped paranoia about government surveillance, corporate IT spending has been trending toward outsourcing for many years. Few corporations have no data in the cloud let alone no data with a hosting company, colocation provider or outsourcing firm. Think your firm is the exception? Do a quick travel and expense audit against Evernote, DropBox or similar services. Swear on a Bible that none of your employees have company data sucked up into iCloud. Sign a legal tender that none of your partners are storing your data or data about your company in the cloud or with a service provider. Oh well.
The fact of the matter is that the IT services market is a part of our portfolios because it provides capabilities we value either against IT or business metrics. And it's highly likely these values are worth more to you than the potential risk you think your company faces due to government surveillance. And if your company is a prime target for government surveillance, you are probably being watched from within your own firewalls right now.
So should you take the actions that would support the forecasted losses ITIF estimates? Should you take the actions that would fulfill the greater estimates I provided above? It's unlikely you will and in many cases it would be too costly or complex to do so at all.
Instead, you should heed the advice from Forrester's Data Security and Privacy Playbook. And when using cloud computing services embrace the Uneven Handshake of cloud security by recognizing that you can take actions yourself to protect your data from prying eyes when using these services. A quick tip: bring your own encryption. If you hold the keys, the governments can't get to your data by going through your service provider. That's the core premise behind the Megacloud storage service and there are ready solutions you can use today including Perspecsys and SafeNet ProtectV.
We also agree with ITIF's recommendation that the US government needs to act quickly to set the record straight about what information it does and does not (already) have access to. We would add that the US needs to reset the judicial-NSA relationship back to a more objective stance similar to what the founding fathers had in mind. But, as stated above, this isn't a US-only problem.
The leading governments of the world need to set aside time at the next G20 Summit to draft clear international surveillance transparency rules that will take any potential chill off the burgeoning cloud computing market. We as a planet, not just one nation at a time, need to balance security and economic interests. The US certainly could take individual actions that role model this notion and makes amends for the transgressions revealed through this leak. But other developed nations have the opportunity to step up as well and set a strong example that isn't trying to stand on a shaky foundation.
But it is unlikely any government will step up to this issue as governments place a much high priority on defense than they do economic development. Want them to act? Don't wait for it. Protect yourself to the degree necessary and focus on achieving your business objectives.