How we’re boosting trust in the cloud, post PRISM - Hoofdinhoud
Recent reports like about the PRISM programme bring to everyone’s mind issues of security. The College of Commissioners recently discussed specific allegations about the US surveillance of EU premises; we are seeking urgent clarifications from the US. But for many people, this has brought this issue to the front: people are understandably concerned. And they are asking more general questions like: is my online data is free from hacking and spying? And: what measures can I take to stay secure online?
Those are the right questions to ask. And it is especially important as people and companies are storing more and more data in the cloud. The benefits of cloud computing are immense: but that’s precisely why it’s so important to restore trust. And the cloud is something particularly on my mind as I head off to Tallinn for our European Cloud Partnership.
In some cases, of course, it may be legitimate for authorities to have some degree of access to information held online; and I think that most people would accept that, in the case of (say) a child abduction, or a terrorist plot. But it is absolutely clear to me that any such access always needs to be within a legal framework that is legitimate and transparent. And it’s understandable that these issues are troubling for many ICT users - whether using it for business or pleasure.
In spite of the current increased attention given to cybersecurity, the subject obviously isn’t new; and indeed, the EU has set out strategies for cybersecurity and cloud computing to address the issues. From these, I suggest five ways to tackle these issues and improve security and trust online.
First, our cloud computing strategy is clear about the need for a transparent legal framework: like agreeing exactly the limited conditions under which third countries might access online information for law enforcement or national security. Reports about PRISM only increase the urgency. That would be a big step forward to rebuilding essential trust.
Second, reports about PRISM have heightened calls for a European cloud. And you can understand why. But first we would absolutely have to overcome legal borders, barriers and divergences within Europe. That’s the only way to ensure the cross-border scale to really maximise the European cloud boost - without compromising on European protections. Many governments and other actors can see the cloud advantage - but if your ambitions don’t extend beyond national borders, they don’t extend far enough. Legal differences within Europe include the current patchwork of divergent data protection rules, which we need to bring together and modernise: but also things like different contract terms. And these are all areas we are already working on as part of the Cloud Strategy.
Third, one sector still wary of moving into the cloud is the public sector - including because of security concerns. And this is what our European Cloud Partnership is about: a group of twenty top advisers, all private and public leaders. The Partnership gives governments a way to work together with the private sector towards using the cloud: starting by jointly discussing and jointly defining what they need, including in terms of security. Tomorrow, in Tallinn, Estonia, I meet the Steering Board of that Partnership for the second time: and at the top of all our minds will be how we can reap the benefits of cloud computing — while staying secure.
Fourth, high-quality research can mean stronger security. Existing EU investment, for example, supports advanced encryption - ensuring you can send, store and process, without exposing yourself to security risks. Open source software also helps, through more transparency about vulnerabilities.
Finally, and perhaps most importantly, companies and administrations can and should take steps to protect themselves: things like risk assessment, encryption, staff training and awareness, and other security measures. But, without legislation, we could still face weak links in the chain - so even diligent online users could find their details compromised or hacked thanks to others’ carelessness. That’s why I’ve been clear that we need EU legislation to set out a very clear standard on network and information security, with better defences and better sharing of information about threats. And I am calling on the EU’s national governments and European Parliamentarians to agree those rules as a matter of urgency. Delivering a more secure digital Europe should be every politician’s top priority: even more so now.
For all the shock of recent revelations, we should not lose sight of the big picture. The cloud offers a fantastic chance for governments to deliver services more integrated, effective and efficient. And for businesses - especially small businesses - to have IT as flexible, nimble and innovative as they are, without massive start-up costs. Overall the cloud boost is worth hundreds of billions of euros to our economy. And in fact in many ways cloud computing can be more secure than in-house alternatives: as expert cloud service providers can often take more effective measures than local data managers ever could, to stop data going astray.
Privacy is an understandable worry. But I think we should see it as an opportunity - for Europe as a whole, and for innovative companies to come up with the solutions that safeguard this fundamental right. If we take that opportunity, and the right policy measures, we can ensure more Europeans enjoy the huge benefits of a trustworthy, secure cloud.