Nationality Doesn’t Determine Trustworthiness in the Cloud; New Report Calls for Common Technical and Legal Criteria

WASHINGTON—Policymakers should use technical and legal criteria about data privacy and cybersecurity, to assess the trustworthiness of cloud computing services, not the service providers’ nationality, according to a new report from the Information Technology and Innovation Foundation (ITIF), the leading think tank for science and technology policy.

Cloud service providers have always faced concerns about data privacy and security practices, but in recent years there have been new concerns that some governments may compel access to cloud firms’ data and services. This has led to misguided conclusions that firms’ trustworthiness can be determined by their nationality. ITIF refutes that idea and details a series of technical and legal criteria for policymakers to consider when assessing cloud trustworthiness, which is a critical process for global data, cybersecurity, and technology governance.

“Cooperation on trusted cloud is foundational to both cybersecurity best practices and technology’s growing role in foreign affairs,” said Nigel Cory, ITIF’s associate director of trade policy, who authored the report. “If countries trust each other in contexts such as defense, intelligence, law enforcement, and trade, but they don’t trust their respective cloud firms, then how are they supposed to work together on related issues such as data governance and cybersecurity?”

ITIF’s new report presents case studies of regulatory regimes in 11 countries to highlight constructive, and problematic approaches to assessing the trustworthiness of cloud services. ITIF concludes policymakers should use a flexible and risk-based approach to assess cloud trustworthiness, recognizing that risk and trust both depend on factors such as the industry sector employing a cloud-based platform, the data in question, and the countries involved.

To that end, ITIF recommends that policymakers use international technical standards to establish common definitions, concepts, use cases, and criteria to assess cloud trustworthiness. Policymakers should start by mapping the technical controls and standards covered in existing cybersecurity certification regimes.

The report illustrates that process by detailing 27 technical and non-technical criteria that policymakers should use to assess cloud trustworthiness. It then maps them against well-established European and international cloud certification regimes.

Other recommendations in the report include:

• Assessing whether countries have independent judiciaries and rule-of-law regimes to assess the risks of domestic and extraterritorial government access to data held by cloud firms.
• Establishing transparency and openness in and around government requests for data.
• Using international security, defense, data privacy, law enforcement, and cybersecurity agreements as legal and geopolitical criteria to assess whether a cloud provider’s home country should be considered trustworthy.
• Developing common criteria and improved transparency to determine whether there is legal and operational separation or interdependence between a firm and its home country’s government.
• Considering cooperation with local cybersecurity authorities to demonstrate cloud firms are trustworthy.
• Creating a dedicated workstream on trusted cloud criteria led by G7 countries as part of the newly established OECD-based secretariat for the Data Free Flow With Trust initiative.

“If policymakers want to build global data and technology governance based on their shared values and interests, then they should work together to establish specific technical and legal criteria to assess cloud providers in a holistic way,” said Cory. “G7 and other countries need to provide third countries with a positive and constructive counter example to China’s restrictive and regressive approach to digital governance.”

Types of technical controls covered in European and international cloud certification programs (full circles are fully covered, half circles are partly covered, empty circles are uncovered)

Read the report.