Wary of cybersnooping by countries like the United States, the Indian government is on the brink of announcing a new email policy designed to secure government communication.
Surveillance programs like Prism have raised the hackles of India’s Internet service providers. They are urging the government to make it mandatory for US Internet companies like Skype, Google, and Facebook to set up servers in India.
The country’s National Security Advisor agency has instructed the Department of Telecom to examine the feasibility of making it mandatory to route all telecom and Internet traffic through the National Internet Exchange of India (NIXI).
In the light of these developments, it could be hard days ahead for the US cloud computing industry. If foreign customers decide the risks of storing data with a US company outweigh the benefits, the US cloud computing industry stands to lose USD 22 billion to USD 35 billion over the next three years. An Information Technology and Innovation Foundation study released in August predicted that the US share of the non-US market will plunge 10-20 percent by 2016 as European and Asian competitors edge US companies out.
A Cloud Security Alliance member survey conducted in June and July (registration required) revealed that 10 percent of non-US residents had cancelled a project with a US cloud computing provider. Fifty-six percent said they would be less likely to use a US cloud computing service. Also, 36 percent of US residents said the NSA leaks made it harder for them to do business outside the United States.
Tell-tale signs of this have already emerged the world over.
Two US email service providers have shuttered themselves, citing the government’s intrusion. Switzerland’s ArtMotion has reported a 45 percent revenue increase as companies reassess cloud storage services such as Dropbox, Amazon Web Services, and Microsoft’s Azure.
As Pablo Valerio told us this summer, European companies are choosing Spain’s Telefonica, Deutsche Telekom, and other domestic cloud service providers over US companies.
Protectionist government policies are providing a larger framework for the offensive against US cloud services. German Interior Minister Hans-Peter Friedrich has warned citizens to steer clear of US cloud companies, and Dutch Minister of Safety and Justice Ivo Opstelten said as far back as 2011 that US companies should be barred from participating in government bids.
India’s new email policy would make it mandatory for all government officials stationed abroad to use only static IP addresses, virtual private networks, and one-time passwords for accessing government email services. Kapil Sibal, the minister for communications and IT, told the Indian Parliament that the policy is necessary because most major email service providers have their servers in the US, and that Indian websites that have set up servers in the country can protect email only within India. All foreign missions would be asked to use only National Informatics Centre (NIC) servers linked to a server in India.
At present, an email sent from Delhi to Mumbai may be routed through servers in the US. Not only do the ISPs have to buy international bandwidth, but they also have no control over the intra-India traffic, which may be open to scrutiny by foreign surveillance agencies. Hence, there is a proposal to route all traffic through NIXI, as well. Only 10 percent of the domestic traffic is routed through NIXI presently.
As for getting Internet companies to set up servers in India, the government has already flagged the issue with the US government in the context of monitoring social media.
Of course, India and other countries have their own surveillance programs, and we’re only just discovering them. (See: India’s Version of Prism Even Worse.) It remains to be seen how these programs will change market sentiment. Some countries, especially those in Europe that have resisted these programs, may purposely create safe havens against programs like these. Or there may be so many countries with surveillance programs that the choice to take business elsewhere will be removed.
CIOs need to watch carefully as laws and policies change. What looks like a safe and easy place to do business one week may install new rules or be revealed as unsafe the following week.
