For good reason, a lot of discussion about recent NSA revelations has focused on the government, what they are actually doing, and what controls are in place. However, it’s important to keep in mind, however, that most of the data collection utilized the services of private companies in one of the best examples of outsourcing available: why have the government spend billions of dollars on data collection infrastructure when they can just ask the private data collectors to share? What remains to be seen, though, is the long-term consequences for those private companies, and whether they will remain so quiet and accommodating in the future.
Continuing to cooperate may have real costs. Bruch Schneier advocates that private companies resist because eventually, the government will hang them out to dry. ITIF suggests a more concrete reason for resisting: it could cost money for cloud providers. I find the monetary justification very interesting, although one without a good solution. There’s a great deal of (justified) fear in outsourcing IT to Chinese infrastructure for fear of data loss. Is it now time to extend that fear to U.S.-based cloud providers? If so, what are the alternatives? Europe has regulatory issues. What does that leave? South America? Australia? Bring back HavenCo?
It’s very early in this saga, and it’s going to be a while before companies understand this landscape. When it comes to managing enterprise risk, companies have long had to worry about hackers, natural disasters, and corporate espionage. It’s clear, though, that it’s likely necessary to add cooperation with government data collection practices to the list of risks to manage.