BriefingsDirect Analysts Discuss Ramifications of Google- China Dust-Up over Cyber Attacks
BriefingsDirect Analysts Discuss Ramifications of Google-
China Dust-Up over Cyber Attacks
Edited transcript of a BrieﬁngsDirect Analyst Insights Edition podcast, Volume 50, on what the
fallout is likely to be after Google's threat to leave China in the wake of security breaches.
Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Charter
Sponsor: Active Endpoints. Also sponsored by TIBCO Software.
Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at
Dana Gardner: Hello, and welcome to the latest BrieﬁngsDirect Analyst Insights Edition,
Volume 50. I'm your host and moderator Dana Gardner, principal analyst at Interarbor Solutions.
This periodic discussion and dissection of IT infrastructure related news and events with a panel
of industry analysts and guests, comes to you with the help of our charter sponsor
Active Endpoints, maker of the ActiveVOS visual orchestration system.
Our topic this week on BrieﬁngsDirect Analyst Insights Edition, and it is the week
of January 18, 2010, focuses on the fallout from the Google’s threat to pull out of
China, due to a series of sophisticated hacks and attacks on Google, as well as a
dozen more IT companies. Due to the attacks late last year, Google on January 12th vowed to
stop censoring Internet content for China’s web users and possibly to leave the country
This ongoing tiff between Google and the Internet control authorities in China’s Communist
Party-dominated government have uncorked a Pandora’s Box of security, free speech and
corporate espionage issues. There are human rights issues and free speech issues, questions on
China’s actual role, trade and fairness issues, and the point about Google’s policy of initially
enabling Internet censorship and now apparently backtracking.
But, there are also larger issues around security and Internet governance in general. Those are the
issues we’ll be focusing on today. So, even as the US State Department and others in the US
federal government seek answers on China’s purported role or complicity in the attacks, the
repercussions on cloud computing and enterprise security are profound and may be long-term.
We’re going to look at some of the answers to what this donnybrook means for how enterprises
should best protect their intellectual property from such sophisticated hackers as government,
military or, quasi-government corporate entities and whether cloud services providers like
Google are better than your average enterprise or even medium-sized business at thwarting such
We'll look at how users of cloud computing should trust or not trust providers of such mission-
critical cloud services as email, calendar, word processing, document storage, databases, and
applications hosting. And, we’ll look at how enterprise architecture, governance, security best
practices, standards, and skills need to adapt still to meet these new requirements from insidious
So, join me now in welcoming our panel for today’s discussion. Welcome to Jim Kobielus,
senior analyst at Forrester Research. Hello, Jim.
Jim Kobielus: Hi Dana. How are you, buddy?
Gardner: Jason Bloomberg, managing partner at ZapThink.
Jason Bloomberg: Hi. Glad to be here.
Gardner: Jim Hietala, Vice President for Security at The Open Group.
Jim Hietala: Hello, Dana.
Gardner: Elinor Mills, senior writer at CNET. Hello, Elinor.
Elinor Mills: Hi.
Gardner: And Michael Dortch, Director of Research at Focus.
Michael Dortch: Hi, Dana, and greetings, everyone.
Gardner: Thanks. Great having you with us Michael.
Elinor, let me start with you. You’ve been covering Internet security, and even Google
speciﬁcally, for several years now. When we think of security, we often think of teenage hackers
or lowbrow malware and pesky pop-ups, but do you think that this Google-China ﬁnger-pointing
business has, in a sense, changed the way security is viewed.
Mills: Oh, absolutely. We’ve got a huge ﬁrst public example of a company coming out and
saying, not only that they've been attacked -- companies don’t want to admit that
ever and it’s all under the radar -- but also they’re pointing the ﬁngers. Even
though they're not speciﬁcally saying, "We think it’s the Chinese state," but they
think enough of it that they're willing to threaten to pull out of the country.
It’s huge and it’s going to have every company reevaluating what their response is
going to be -- not just how they’re going to do business in other countries, but
what is their response going to be to a major attack.
Gardner: Does this mean that the companies, enterprises speciﬁcally, need to rethink both
security for what you'd call criminal activity, but now think at a higher level -- higher level being
government versus government?
Mills: Yes, if they’re big companies -- mid-size companies maybe not so much. Bigger
companies have been targeted with espionage for a while, especially if they have any kind of
technology that China or any other country might want. I think there's going to be more emphasis
on it. They’re going to have to think about it. For smaller companies, it’s not going to be as much
of a problem.
Gardner: Jim Kobielus, do you view this as a big issue or is this more of the same? Have the
folks that you deal with, who are protecting their data and information, been aware of these
threats? Is this more of a public relations problem than a real one?
Kobielus: I won’t say it’s just a public relations problem. It is a real one. If you’re going to be a
multinational ﬁrm -- I've heard the term "supernational" used as well -- you’re not
above the laws and governmental structures of the nations within which you
operate. It's always been this way. This is a sovereign nation, and you're subject to
If you’ve been a multinational ﬁrm before, or if you wish to be one, you’ve got to
play by whatever rules are imposed upon you to operate in these spheres. One of
the key issues for Google is whether they want to continue to be a business that’s growing in this
particular market, subject to whatever rules are laid down, whether they want to be a crusader for
civil rights, human rights, whatever, in the Western context, or if they’re trying to be both. It
means they’re going to have to contend with the government of the People’s Republic of China
on their own turf -- and good luck there.
Gardner: Don’t you think, Jim, that these issues transcend national boundaries or even laws that
govern as a particular sovereign nation? If your servers are in one country, why should it be
bound by the laws in another?
Kobielus: Well, your servers are physically hosted somewhere. Your access is from people, end
users, in many nations that are trying to access whatever services you provide from those
physically hosted servers.
So, your users and your servers are subject to the laws and the ﬁrewalls and security constraints
and so forth in the various nations within which you will physically operate, as well as where
your supply chain and your customer base will physically operate. None of these segments, these
nodes, in this broader value chain are free ﬂoating in space like they're elevated platforms in the
Gardner: I think Google is going to perhaps challenge the way you’re looking at this. It should
be interesting to see how it pans out. Jason Bloomberg, does this provide some sort of a wakeup
call for enterprises and service providers as well about how they architect? Do they need to start
architecting for a larger class of threats?
Bloomberg: It’s not as big of a wakeup call as it should be. You can ask yourself, "Is this an
attack by some small cadre of renegade hackers or is this attack by the government
of the People’s Republic of China? That’s an open question at this point.
Who is the victim? Is it Google, a corporation, or the United States? Is it the
western world that is the victim here? Is this a harbinger of the way that
international wars are going to be fought down the road?
We’ve all been worried about cyber warfare coming, but we maybe don’t recognize
it when we see it as a new battleﬁeld. It's the same as terrorism. It’s not necessarily clear who the
participants are. We have this 18th Century view of warfare, where two armies meet on the
battleﬁeld and slug it out with the weapons of the day. But, terrorism has introduced new types of
weapons and new types of battleﬁelds.
Now we have cyber warfare, where it’s not even necessarily clear who the perpetrator is, who the
victim is, or who the offended party is. This is a whole new context for conﬂict in the world.
When you place the enterprise into this context, well, it’s not necessarily just that you have a
business within the context of a government subject to particular laws of particular government,
you have the supernational, as Jim was taking about where large corporations have to play in
multiple jurisdictions. That’s already a governance challenge for these large enterprises.
Now, we have the introduction of cyber warfare, where we have concerted professional attacks
from unknown parties attacking unknown targets and where it’s not clear who the players are.
Anybody, whether it’s a private company, a public company, or a government organization is
They may not even fully know how involved they are or whether or not they are being targeted.
That basically raises the bar for security throughout the entire organization. We’ve seen this
already, where perimeter-based security has fallen by the wayside as being insufﬁcient.
Sure, we need ﬁrewalls, but even though we have systems inside our ﬁrewalls, it doesn’t mean
they are secure. A single virus can slip through the ﬁrewall with no problem at all. We already
have this awareness that every single system on our network has to look out for itself and, even
then, has levels of vulnerability. This just takes it to the national level.
Kobielus: But, there has always been corporate espionage and there’s always been vandalism
perpetrated by companies against each other through subterfuge, and also by companies or fronts
operating as the agent of unseen foreign power. This is what was the Germans did in this country
before World War II to inﬁltrate, or what the Soviet Union did after World War II.
This is international real-politic as usual, but in a different technological realm. Don’t just focus
on China. Let’s say that Google had a data center in Venezuela. They could just as easily have
that expropriated by Hugo Chavez and his government. In China, that’s a possibility too.
Nothing radically new
What I’m saying is that I don’t see anything radically or fundamentally new going on here. This
is just a big, powerful, and growing world power, China, and a big and growing world power on
a tech front Google, colliding.
Mills: They have so much data. They’re becoming a service provider for the world. It’s not just
their data that’s being targeted. You’ve got the City of Los Angeles, you’ve got DC, other
government entities, moving onto Google Apps. So, the end target in the cloud is different than
just the employees of one company.
Dortch: That challenge puts Google in the very interesting position of having to decide. Is it a
politically neutral corporation or is it a protector of the data that its clients around
the world, not just here, and not just from governments but corporations? Is it a
protector and an advocate of protection for the data that those clients have been
trusted to it? Or, is it going to use the fact that it is a broker of all that data to sort
of throw its muscle around and take on governments like China’s in debates like
The implications here are bigger than even what we’ve been discussing so far,
because they get at the very nature of what a corporation is in this brave new network world of
And, this is taking place against the backdrop where the Supreme Court just decided that
corporations in the United States have the same free speech rights and political campaigns as
individuals. We're not clear at all on what this is going to mean for how the entity called a
corporation is perceived, especially in the cloud.
Gardner: Thank you, Michael. Jim Hietala, help me understand, from your perspective, is this a
game-changing event or is this more business as usual when it comes to corporate security.
Hietala: In terms of the visibility it’s gotten and the kinds of companies that were attacked, it’s a
little bit game-changing. From the information security community perspective, these sorts of
attacks have been going on for quite a while, aimed at defense contractors, and are now aimed at
commercial enterprises and providers of cloud services.
I don’t think that the attacks per se are game-changing. There’s not a lot new here. It’s an attack
against a browser that was couple of revs old and had vulnerability. The way in which the
company was attacked isn’t necessarily game-changing, but the political ramiﬁcations around it
and the other things we’ve just been talking about are what make it a little game-
Gardner: I’d like to understand more about Michael Dortch’s point about the
cloud providers and Elinor's as well. Should people think about a cloud provider
as the best defense against these things, because they are current and they’ve got
the power of scale they need to make this secure or their business itself is
Or, is this something that’s best done at the individual level, company by company, ﬁrewall by
ﬁrewall? Does anyone have some thoughts about that?
Dortch: I’m reminded of what Ronald Reagan famously said, “Trust, but verify.” It’s one of
those things where the cloud becomes a part of a good defense, but you can’t place all of your
eggs in any one basket.
Companies that are doing business internationally and that worry about this sort of thing -- and
they all should -- are going to have to combine cloud-based resources from reputable companies
with documented protections in place with other protections, in case the ﬁrst line of defense fails
or is challenged in some major way.
Kobielus: In some ways, we all perceive what a cloud provider like Google needs to be regarded
as in international law. It’s almost like a cyber Switzerland. Basically, it’s almost like, in another
metaphor, an off-shore bank for your data and your other assets, in the same neutral role that
Switzerland has played through the years, including during World War II for Nazi secreted
In other words, it’s somehow a sovereign state, in its own right, with the full rights and privileges
accruing thereto. I don’t think anybody is willing to take it that far in international law, but I
think there is this perception that for cloud providers like Google to really realize their intended
mission, there needs to be some change in international governance of sort of assets that
transcend nation states.
Bloomberg: You could actually think of that as a reductio argument, because there isn’t going to
be such a change. Cloud environments do not have that sort of power or capability and, if
anything, cloud environments reduce the level of security.
They don’t increase it for the very reason that we don’t have a way of making them sovereign in
their own right. They’re always not only subject to the laws of the local jurisdiction, but they’re
subject to any number of different attacks that could be coming from any different location,
where now the customers aren’t aware of this sort of vulnerability.
So, “Trust, but verify,” is a good point, but how can you verify, if you’re relying on a third party
to protect your data for you? It becomes much more difﬁcult to do the veriﬁcation. I'd say that
organizations are going to be backing away from cloud, once they realize just how risky cloud
Mills: Microsoft’s general counsel Brad Smith this week gave a keynote at the Brookings
Institute Forum, and he talked about modernizing and updating the laws to adapt speciﬁcally to
the cloud. That included privacy rights under the Electronic Communications Privacy Act being
more clearly deﬁned, updating the Computer Fraud and Abuse Act, and setting up a framework
so that differences in the regulations and practices in various countries can be worked out and
Gardner: What happens if you are a small to medium-sized business and you might not have the
resources to put into place all the security you need to deal with something like a China or
Venezuela, or perhaps some large company that’s in another country that wants to take your
intellectual property? Are you better going to a cloud provider and, in a sense, outsourcing
security? Jim Hietala, does that make sense for a small to medium-sized business?
Hietala: I don’t think you can make that case yet today. I don’t think there is a silver-bullet cloud
provider out there that has superior security to have that position. All enterprises still are going to
have to be at the top of their game, in terms of protecting their assets, and that extends to small or
At some point, you could see a cloud provider stake out that part of the market to say, "We’re
going to put in a superior set of controls and manage security to a higher degree than a typical
small-to-medium business could," but I don’t see that out there today.
Waiting for disaster
Dortch: All of us who’ve doing this for a while, I think, will agree that where security is
concerned, especially where cyber security is concerned, at least in North America, where I’m
most familiar, companies tend not to talk about it or do anything, until there is some major
Nobody buys insurance, until the house next doors theirs burns down. So, from that perspective,
this event could be useful. In terms of protecting their data, one of the issues that incidents like
this raises is exactly how much corporate data is already in the cloud.
Many small businesses outsource payroll processing, customer relationship management (CRM),
and a whole bunch of things. A lot of that stuff is outsourced to cloud service providers, and
companies haven’t asked enough questions yet about exactly how cloud providers are protecting
data and exactly how they can reassure that nothing bad is going to happen to it.
For example, if their servers come under attack, can they demonstrate credibly how data is going
to be protected. These are the types of questions that incidents like this can and should raise in
the minds of decision-makers at small and mid-sized businesses, just as they're starting to raise
these issues, and have been raising them for a while, among decision-makers at larger enterprise.
Kobielus: I think what will happen is that some cloud providers will increasingly be seen as safe
havens for your data and for your applications, because (A) they have the strong security, and (B)
they are hosted within, and governed by, the laws of nation states that rigorously and faithfully
try to protect this information, and assure that the information can then be removed -- transferred
out of that country ﬂuidly by the owners, without loss.
In other words, it's like the Cayman Islands of the cloud -- that offshore banking safe haven you
can turn to for all this. Clearly, it's not going to be China.
Gardner: We’ve seen in the history of the United States -- and, of course, the business world at
large -- that whenever threats elevate to a certain level, the government steps in. We have seen
with piracy, border controls, taxation, trade mandates, freedom pacts, and so forth. Whenever a
threat arises, businesses get up and say, "Hey, we pay taxes. Uncle Sam, please come in and save
us," whether it's through the navy or some technology.
Should we expect that, if we come to understand that this was an attack against American
business interests from a foreign government of some kind, that it's up to the government to
solve the problem? How about governments in general, maybe the United Nations, who steps in?
Who is the ultimate governor of what happens in cyber space?
Dortch: Dana, in 2007, the National Academies of Science issued a cyber security report, and it
included ten provisions that, at that time at least, were looked at as potentially the foundation for
a cyber security bill of rights. Maybe it's time to reawaken discussions like that. Maybe what's
needed is the cyberspace equivalent of the United Nations.
This is a lot of heavy lifting that we're talking about, and businesses have problems to solve and
threats to address today. So your question begs another one: how do we get to the stage we need
to be, where there can be trusted offshore equivalence databanks and all of that? And, what do
we do in the meantime? I'm not smart enough to have answers to those questions, but they're
We know the game
Kobielus: At a governmental level, obviously there will always be approaches and tools
available to any sovereign nation -- treaties, negotiations, war, and so forth. We all know that.
Clearly, we all know the game there.
In terms of who has responsibility and how will governance best practices be spread uniformly
across the world in such areas of IT protection, it's going to be some combination of multilateral,
bilateral, and unilateral action. For multilateral, the UN points to that, but there are also regional
organizations. In Southeast Asia there is ASEAN, and in the Atlantic there is NATO, and so
So, there is going to be a combination of all that. For this administration and subsequent
administrations in the US, it’s just a matter of their putting together a clear agenda for trying to
inﬂuence the policies, practices, and enforcement within China and other nations that may prove
unreliable in terms of protecting the interest of our businesses.
Dortch: And, Secretary of State Clinton’s director of innovation -- I believe that's his title -- has
already said publicly that it's a linchpin of our negotiating strategy with China and other
Just as we, as a country, are an advocate for human rights, we're increasingly and more overtly
advocating that other country’s citizens have free access to the Internet and basically have the
cyber equivalent of human rights. That's going to play out in some very interesting ways as it
becomes a larger part of our global diplomatic effort.
Kobielus: Keep in mind that the UN had a human rights declaration in 1946. China signed up,
the Soviet Union signed up, and it didn’t make a whole lot of difference in terms of how they
treated their own people over time. Keep in mind that such declarations are ﬁne and dandy, but
often don’t have much impact on the ground.
Gardner: So, enforcement is important. What we’ve seen so far is the enforcement of the
marketplace, and I think that's what Google is up to in many respects. They’re saying, "Listen,
we are a big enough company. We have such sophisticated technology and our price points for
our services are so low that you would be at a disadvantage as a competitive nation not to have
us working inside of your market, China."
Then, China says back to Google, "We are potentially, if not already, the biggest Internet market
in the world, so don’t you think you have to adhere to our dictates in order to play ball in our
court?" So, there is sort of a tussle within market powers. Is that's going to be the best way for
these issues to be resolved?
Kobielus: It’s going to have to be resolved in the China context. They are the middle kingdom.
They’ve seen themselves as the center of the universe, and it's not just me saying that. It's all
manner of China scholars. This not fundamentally any different from the way in which Chinese
centralized bureaucracy and governance for over 2,000 years.
Gardner: Jason Bloomberg, do you think that the traditional free market -- the powerful
interests and the money -- are enough to balance the risks associated with security in this newest
Who decides "enough?"
Bloomberg: When you say "enough," the question is who decides what is enough. We have
these opposing forces. One is that information should be free, and the Internet should be
available to everybody. That basically pushes for removing barriers to information ﬂow.
Then you have the security concerns that are driving putting up barriers to information ﬂow, and
there is always going to be conﬂict between those two forces. As increasingly sophisticated
attacks develop, that pushes the public consensus toward increasing security.
That will impact our ability to have freedom, and that's going to be, continue to be a battle that I
don’t see anybody winning. It's’ really just going to be an ongoing battle as technology improves
and as the bad guys attacks improve. It's going to be an ongoing battle between security and
freedom and between the good guys and the bad guys, as it were, and that's never going to
Gardner: Now, taking up on your point, Jason Bloomberg, about this being a spy-versus-spy
kind of world, that's been that way so far. We thought about how governments might come in.
Large corporations can play their role. Cloud providers might have to step in and offer some sort
of an SLA-based protection or outsourced security opportunity of some kind.
What about going in the other direction? What if we go down to the individual who says, "If I'm
going to play in the cloud or in this world-class cyber warfare environment, I want to have high
encryption. I want to be able to authenticate myself in the best way possible. Therefore, I’ll give
up some convenience. I might even pay a price, but I want to have the best security around my
identity and I want to be able to play with the big boys, when it comes to encryption and
We don’t really have an opportunity for those people to say, "I want to exercise security at an
individual level." Jim Hietala, is there anything like that out there to get them to move towards
the individual level of self-help, when it comes to high levels of security?
Hietala: Large enterprises are going to have to be responsible for the security of their
information. I think there are a lot of takeaways for enterprises from this attack. If you're talking
about speciﬁc individuals, it’s almost hopeless, because your average individual consumer
doesn’t have the level of knowledge to go out and ﬁnd the right solutions to protect themselves
So, I'll focus on the large enterprises. They have to do a good job of asset inventory, know where,
within their identity infrastructure, they're vulnerable to this speciﬁc attack, and then be pretty
agile about implementing countermeasures to prevent it. They have to have patch management
that's adequate to the task of getting patches out quickly.
They need to do things like looking at the trafﬁc leaving their network to see if people are
already in their infrastructure. These Trojans leave traces of themselves, when they ship
information out of an organization. When people really understand what happened in this attack,
they can take something away, go back, look at what they are doing from a security standpoint,
and tighten things up.
If you're talking about individuals putting things in the cloud, that’s a different discussion that
doesn’t seem real feasible to me to get them to the point where they can secure their information
Gardner: Jim, I was getting back to what I used to hear almost 20 years ago in the messaging
space, when we ﬁrst started talking about directories, that the directory is only as good as the
authentication and the information and veriﬁcation.
Don’t we need a centralized directory that we can bounce off these credentials and make sure
that they are valid and authenticated? But, there was no central place to do that. Is it time for the
government or some other agency or organization to come in and create that über directory for
that large-scale global authentication capability?
Kobielus: You're talking about identity systems, with a web of trust, PKI and so forth. We've
been talking about that for years. About ﬁve years ago, I was with a company that was trying to
build federated cross-industry identity management for aerospace and defense, one North
Atlantic industry, and even that was frightfully complicated. It probably still hasn’t gotten off the
Imagine creating a similar federated directory with all the stronger authentication and encryption
and so forth for all industries within the US. Especially consider worldwide. It’s not going to
happen. It’s just a huge engineering nightmare, putting together the trust relationships and
working out all the interchange and interoperability issues. It’s just overkill. It’s just much more
trouble than it’s worth.
Gardner: Too much federation. But what if there are only a handful of major cloud providers?
Maybe it’s Google, Yahoo, Amazon, and Microsoft -- and I've just thrown those out. It could be a
number of others. They might have the market heft or the technological wherewithal to enforce
and deliver such an authentication and federated directory into existence.
Is anybody thinking like I am, that maybe cloud computing is different, that we can start to
actually use the scale of these cloud providers to accomplish these large security requirements?
Dortch: You know, Dana, people change a lot more slowly than technology does. Just a few
short months ago, a lot of us were outraged, when it turned out that a handful of major telephone
service providers had apparently been giving information to the government without the
knowledge or consent of the subscribers whose information was manipulated. At least, that's
what the published report seemed to indicate.
I don’t see the people running cloud-computing companies being radically different from the
people that run phone companies, and I don’t see them being, a priori, any less subject to
inﬂuence by their own governments, bribes, threats, or anything else than the people who run the
phone companies. I think that’s a good idea but I think it’s fraught with the same level of peril.
Kobielus: In fact, look at the last nine years since 9/11 and you can see in all the articles and
stories how telcos have just bent over backwards to allow the Feds to come in and survey their
users and subscribers and to abscond with call detail records to monitor terrorist and other
people's calling patterns, quite often not even using a search warrant. In other words, it's exactly
what he said. How can you trust the carrier to safeguard our privacy, when they so easily
succumb to such government pressure?
Gardner: So, these are very big issues that will impact us all as individuals and citizens within
our national interests, as well as our companies. Yet, no one seems to have a good sense -- and,
there are some very bright people on the line today, of how to even go about deﬁning the
problem, never mind solving it.
Kobielus: Dana, there is another point you raised about, why we don't just let the providers
become sort of the über identity management registrars and then set a rate among themselves.
Remember about 10 years ago -- I'm getting old, I can remember back 10 or more years --
Microsoft with its MSN Passport ﬁasco? Microsoft was saying, "We want to be everybody's
identity management hub." Then, the huge thing that was raised about it was, "Microsoft wants
to control our identities." Then, things like Liberty Alliance and all the others sprung up to say,
"No, no, it must be a centralized and better way, so no one company can control all of our online
That whole passport idea was kind of cool in some ways, but was just shot down completely and
deﬁnitively, because the culture just said, "No, we cannot allow one group to have that much
Gardner: They typically didn't trust Microsoft at that point, when it was at perhaps the apex of
its power, right?
Kobielus: Exactly. Now, Google is at the apex of their power. Would we trust Google in the
same capacity? Look at China. They will become probably the largest economy in the world, in
the next 25 years. Can we trust them? No, of course not.
When you have too much power concentrated in one place, people naturally sort of revolt . "No,
wait, wait. I don't want to give them any more powers than they already have. Let's rethink this
whole 'give them control of my identity' thing."
Dortch: It was the desire to get away from too much centralized control that led to the invention
of the PC in the ﬁrst place. It's it's important to keep that in mind in this context.
Gardner: So, if you truly want to be safe, you should just turn off your PC and start sending out
mail at 44 cents a pop.
Kobielus: And, then you're not safe from Anthrax, you know.
Gardner: Let's go around our panel. We’re almost out of time. I’d be interested now in hearing
some predictions about what you think is going to happen next. We've done a great job at
deﬁning the scope, depth, and complexity of this problem set, a very complex undertaking. But,
it seems like it's not something that's going to go away. What do you think is going to happen
next, Jim Kobielus?
Kobielus: I don't think Google is going to leave China. I even saw a headline today. I think it
said that they were going to stay in China and somehow try to work it out with the PRC. I don't
know where that's going, but fundamentally Google is a business and has a "don't do evil"
philosophy. They're going to continue to qualify evil down to those things that don't actually
align with their business interest.
In other words, they're going to stay. There's going to be a lot of wariness now to entrust
Google's China operation with a whole lot of your IT -- "you" as a corporation -- and your data.
There will be that wariness.
Other cloud providers will be setting up shop or hosting in other nations that are more respectful
of IP, other nations that may not be launching corporate or governmental espionage at US
headquartered properties in China. Those nations will become the preferred supernational cloud
hosting platforms for the world.
I can't really say who those nations might be, but you know what, Switzerland always sort of
stands out. They're still neutral after all these years. You've got to hand that to them. I trust them.
Gardner: Jason Bloomberg, what do you think is going to happening next?
Bloomberg: In the short-term, the noise is going to die down or going to go back to business as
usual. The security is going to need to improve, but so are hacks from the bad guys. It's going to
continue, until there is the next big attack. And the question is, "What's it going to be and how
big is it going to be?"
We're still waiting for that game changer. I don't think this is a game changer. It's just a way to
skirmish. But, if a hacker is able to bring down the internet, for example, targeting the DNS
infrastructure to the point that the entire thing collapses, that’s something that could wake people
up to say, "We really have to get a handle on this and come up with a better approach."
Gardner: That's mass vandalism. That doesn't really suit the purposes of some of the types of
folks we are talking about. They don't want to bring the Internet down. They simply want to get
an advantage over their competitors.
Bloomberg: Well, it really depends. We don't know who the bad guys are and what they’re
trying to do. There's no single perspective. There's no single bad guy out there with a single
agenda. We just don't know. We don't know what the agendas are.
Gardner: We don't know whether we've a level playing ﬁeld or not?
Bloomberg: We can count on it not being leveled.
Gardner: Right. Jim Hietala, what do you see as some of the short- or medium-term next steps?
Hietala: From our perspective, we're starting to see more awareness at higher levels in
governments that the threats and issues here are real. They’re here today. They seem to be state
sponsored, and they're something that needs to be paid attention to.
Secretary of State Clinton gave a speech just today, where she talked speciﬁcally about this
attack, but also talked about the need for nations to band together to address the problem. I don't
know what that looks like at this point, but I think that the fact that people at that level are
talking about the problem is good for the industry and good for the outlook for solutions that are
important in the future.
Gardner: So, perhaps a free world versus an unfree world, at least in cyber terms, and perhaps
the free world would have an advantage, or maybe the unfree world would have an advantage.
It's hard to say.
Hietala: I'd agree it's hard to say, but the fact that those discussions going on is positive.
Gardner: Elinor Mills, any sense of where things are going?
Leading the way
Mills: I'm horrible at predictions, but I'll just throw this out. I think Google is going to get out
of China and try and lead some kind of US corporate effort or be a role model to try to do
business in a more ethical way, without having to compromise and censor.
There will be a divergence that you'll see. China and other countries may be pushed more
towards limiting and creating their own sort of channel that's government ﬁltered. I think the
battle is just going to get bigger. We're going to have more ﬁghts on this front, but I think that
Google may lead the way.
Gardner: Very good. Michael Dortch, where do you see it going?
Dortch: Elinor is at least partly right. Especially, if Google leaves China, Baidu's going to rise
up as being the government approved version of Google for China and its localities. The very
next thing Google will do is forge a strong working relationship as it possibly can with Baidu.
You might see that model replicated across multiple countries in the world.
In the meantime though, something that -- if I remember correctly -- Astrodienst said almost 30
years ago is important to remember. Privacy is fungible. It's like currency. You're going to see
individuals, small businesses, and individual corporate entities forging negotiations, deals,
relationships, and accommodation that treat privacy and security as currency. If it costs me a
little bit more to do business here, I'm going to think seriously about it. Every once in a while,
I'm going to swallow hard and pay the piper.
Gardner: Great. I'm going to throw my two cents as well. This boils down to almost two giant
systems or schools of thought that are now colliding at a new point. They've collided at different
points in the past on physical sovereignty, military sovereignty, and economic sovereignty. The
competition is between what we might call free enterprise based systems and state sponsorship
through centralized control systems.
Free enterprise won, when it came to the cold war, but it's hard to say what's going to happen in
the economic environment where China is a little different beast. It's state sponsored and it's also
taking advantage of free enterprise, but it's very choosy about what it allows for either one of
those systems to do or to dominate.
When you look at the Google, Google made itself into a ﬁgurehead of representing what a free
enterprise approach could do. It's not state sponsored or nationalistic. It's corporate sponsored.
So, it would be interesting to see who has the better technology, who has the better ﬁnancial
resources, and ultimately who has the organizational wherewithal to manifest their goals online
that wins out in the marketplace.
If an organized effort is better at doing this than a corporate one, well then they might dominate.
But so far, we've seen a very complex system that the marketplace -- with choice, and shedding
light and transparency on activities -- ultimately allows for free enterprise predominance. They
can do it better, faster, cheaper and that it will ultimately win.
I think, we're really on the cusp here of a new level of competition, but not between countries or
even alliances, but really between systems. The free enterprise system versus the state-sponsored
or the centralized or the controlled system. It should be very interesting.
I want to thank our guests for today’s discussion. Jim Kobielus, senior analyst at Forrester
Research. Thanks, Jim.
Gardner: Jason Bloomberg, managing partner at ZapThink. Great to have you.
Bloomberg: My pleasure.
Gardner: Jim Hietala, Vice President for Security at The Open Group. Thank you, Jim.
Hietala: Thank you, Dana.
Gardner: And thank you for joining us, Elinor Mills, senior writer at CNET.
Mills: My pleasure.
Gardner: Lastly, I appreciate your debut here today, Michael Dortch, Director of Research at
Dortch: It was great fun, and I hope I passed the audition.
Gardner: You did.
Gardner: I also want to thank our charter sponsor for supporting today’s BrieﬁngsDirect,
Analyst Insights Edition, that's Active Endpoints. This is Dana Gardner, principal analyst at
Interarbor Solutions. Thanks for listening, and come back next time.
Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Charter
Sponsor: Active Endpoints. Also sponsored by TIBCO Software.
Edited transcript of a BrieﬁngsDirect Analyst Insights Edition podcast, Volume 50, on what the
fallout is likely to be after Google's threat to leave China in the wake of security breaches.
Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.