The failures of government IT projects are well-known and have been for decades, during which the problems have been intractable. Now a solution is being championed by Her Majesty's Government – cloud computing.
What is cloud computing? And is it the answer?
HMG runs a blog called G-Cloud (the government cloud), on which last Friday Adrian Scaife from the Ministry of Justice posted an answer to the first question above, "A No Brainer":
Mr Scaife should know all about the traditional problems of government computing. He works for NOMS, the National Offender Management Service, the travails of which have rarely been out of Private Eye for the past eight years. To pick just one of the hiccoughs suffered, in March 2009 the National Audit Office published a report on the NOMS computer system which includes this:
Cloud computing is so easy to understand that even simple folk like me get the idea.
This patrician insouciance of Whitehall's when it comes to public money is just one of the aggravating features of government IT collected together in a report by the Public Administration Select Committee, Government and IT- "A Recipe For Rip-Offs": Time For A New Approach, a report which with good grace Mr Scaife refers to. It's a long report and readers may care to start with the contribution entitled Whitehall, Red Light District beginning at page Ev w7 to get the flavour of it. Clause 5 deals with cloud computing.
3.17 At the end of October 2007, £161 million had been spent on the project overall. We have not been able to ascertain precisely what this money was spent on because NOMS did not record expenditure against workstream before July 2007 ...
Mr Scaife's post promotes five alleged benefits of cloud computing which he says will help to solve the current problems of government IT:
If there is no CapEx, no capital expenditure, then what Mr Scaife foresees is a new world in which government doesn't buy any expensive computers (any servers) itself. But someone has to buy them. The people buying them are AWS, Amazon Web Services, and other suppliers of cloud computing services. Someone must pay for all the spare capacity which would allow HMG to "scale up" any time it wants to, no delays involved. And someone must keep paying for it when HMG decides at the drop of a hat to "switch off". All that redundancy must be reflected in the costs.
- No CapEx – you can stand up services in days, hours or in some cases minutes – try before you buy: spin up an AWS instance, sign up for Google Apps for Business or an Office 365 free trial and touch and feel it for yourself ...
- Metered Services – you only pay for what you use. If it doesn’t fit the bill, switch it off. If it does work you can grow it incrementally ...
- Scalability, flexibility, elasticity – All baked in. You want to add a couple of hundred gigs of storage, another 50 or 5000 users, a new tenancy for an application, just switch it on. And when your business changes and you don’t need it any more – no exit costs, just switch it off ...
- Cheaper – the economies of scale the global-class cloud providers can realise drive unit costs to a level that can never be achieved through an on-premise approach. In many cases, cloud services are free at the point of use because of these economies of scale, and because they are typically monetised by advertising – you can normally lose the ads for a paid business version of a cloud service ...
- Vendor-led Innovation – One of the great things about cloud is that you don’t have to do upgrades, the cloud provider does it. New features, patches, and upgrades are all part of the package. Because the global market is a competitive place, as well as getting better, services can get cheaper too: AWS reduced their prices twice in 2011 ...
What we're looking at is a return to the 1970s and timesharing. Back then, most companies couldn't afford mainframes or minicomputers and so they rented time on computers provided by the likes of GEISCO – General Electric Information Services Company – and Comshare and other smaller bureau operators. Timesharing costs went through the roof and the whole business was gratefully abandoned when PCs arrived in the 1980s.
HMG is welcoming the timesharing zombie back into Whitehall. And Mr Scaife, at least, offers no reason to believe that costs won't go through the roof again just like the last time.
Mr Scaife's post barely considers the potential disadvantages of cloud computing. The document is more like a piece of sales literature than a balanced assessment.
There are other opinions of the new world being sold to us here:
- The OECD, for example, recommend that "cloud computing creates security problems in the form of loss of confidentiality if authentication is not robust and loss of service if internet connectivity is unavailable or the supplier is in financial difficulties".
- ENISA, the EU's information security agency, casts more doubt on the advisability of cloud computing, concluding that "its adoption should be limited to non-sensitive or non-critical applications and in the context of a defined strategy for cloud adoption which should include a clear exit strategy".
- Larry Ellison, the founder of Oracle, says frankly: "The interesting thing about cloud computing is that we've redefined cloud computing to include everything that we already do. The computer industry is the only industry that is more fashion-driven than women's fashion. Maybe I'm an idiot, but I have no idea what anyone is talking about. What is it? It's complete gibberish. It's insane. When is this idiocy going to stop?"
- And as for Richard Stallman, he says that cloud computing is a "trap":
The Guardian quote one actual user of real live cloud computing services as follows:
... Richard Stallman, founder of the Free Software Foundation and creator of the computer operating system GNU, said that cloud computing was simply a trap aimed at forcing more people to buy into locked, proprietary systems that would cost them more and more over time.
"It's stupidity. It's worse than stupidity: it's a marketing hype campaign," he told The Guardian.
"Somebody is saying this is inevitable – and whenever you hear somebody saying that, it's very likely to be a set of businesses campaigning to make it true."
Mr Scaife's assumption is that cloud computing offers greater security than can be achieved in-house. But how do you know? According to the Guardian again:
We went ahead and moved our business to public cloud computing about 18 months ago. It has been a nightmare, there have been times when the company is down because our collaboration software, Basecamp, is unreachable. We also have an Amazon cloud solution. How secure is this, what if there is a breach? How do you even call Amazon, they don't even have a phone number for us? The level of transparency is not there.
Google is another supplier of cloud computing and Eran Feigenbaum is their director of security for Google Apps. Are we really to believe that Google can provide higher security than HMG?
Despite these efforts, tough issues remain. One is that organisations often cannot perform audits to verify the vendor's claims. Google, for example, does not allow it. "It does more to impede the security, letting everybody in to take a look at everything," Feigenbaum says.
Maybe. We are used to finding fault with HMG. That doesn't mean that Google are faultless.
Let's be clear what Mr Scaife is talking about here. All our tax records, all our state education records, all our state healthcare records and state housing records, all our National Insurance and state pension records, all our criminal records, ... could be stored on Amazon web servers or Google web servers or anyone else's web servers.
Where would those servers be? Where would our data be? They could be anywhere. Anywhere where Amazon/Google can provide their allegedly scalable and flexible services most cheaply. Who has jurisdiction over the data if it's in Vanuatu (formerly the New Hebrides but now the Ripablik blong Vanuatu)? How do you enforce any British law there?
HMG might or might not be able to keep control. The US have taken steps to do so already, and not just to control their own data:
Mr Scaife acknowledges this problem:
There is also concern about the US anti- terrorism legislation called the Patriot Act, which gives the US government a right of access to any data stored on US soil, and possibly any data on servers belonging to a US company, if it is deemed necessary for security investigations. In some cases, that is not an acceptable risk.
If government is going to protect national security and the confidentiality of personal data, then that surely points firmly against cloud computing and Mr Scaife's putative cost savings won't be available after all. Alternatively, if HMG is determined to try to achieve those putative savings, will the population no longer be relying on HMG? Will we be relying instead on the good will of Amazon and Google? Is the job too difficult, and HMG is giving up on the business of government?
The operation of separate and parallel ICT systems for government departments is analogous to operating separate water or electricity supplies for government departments. It is expensive, often unnecessary, and the benefits are dubious. At the same time, government is in a unique position in that it must both protect assets of national security, and that it must provide adequate protection of the personal data entrusted to it.
Having asserted that government's responsibilities are unique, three paragraphs later Mr Scaife says:
Clearly, his point is that government computing requirements are not unique after all – "we need to avoid getting into a tiz about how ... ‘special’ we think we are". He thinks that's an argument for adopting cloud computing. It isn't. It's the reverse.
Government is now beginning to recognising the potential cloud has to help us deliver ‘better for less’, to drive down costs and to improve services. Our job now is to seize the opportunity to capitalise on that. Cloud is a ‘no-brainer’, but we need to avoid getting into a tiz about how scary it sounds to us and how ‘special’ we think we are.
Anyone using the cloud has lost control of their data and of their costs. Do lawyers store your confidential data in the cloud? Let's hope not. They shouldn't. There's nothing special about government in this respect. HMG shouldn't adopt cloud computing either, any more than lawyers. Not if they're going to maintain national security. Not if they're going to take the confidentiality of personal data seriously. And not if they have a brain.
Public administration in the UK is in a parlous state. No-one doubts that there are real problems. Cloud computing is not the answer.
PS For what it's worth, DMossEsq posted a comment on the G-Cloud blog raising some of the questions above. The comment has been published but the last sentence, including a link to this article, has been removed. It's a small thing but was the comment edited in the UK? Or Vanuatu? How will you defend your position if your tax records are edited? And what if they're copied by Google, at the request of the US government? While framing your answers, please follow Mr Scaife's advice and try to "avoid getting into a tiz about how scary it sounds to [you] and how ‘special’ [you] think [you] are".