[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]



 
 CLOUD COMPUTING: AN OVERVIEW OF THE TECHNOLOGY AND THE ISSUES FACING 
                          AMERICAN INNOVATORS

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                         INTELLECTUAL PROPERTY,
                     COMPETITION, AND THE INTERNET

                                 OF THE

                       COMMITTEE ON THE JUDICIARY
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 25, 2012

                               __________

                           Serial No. 112-122

                               __________

         Printed for the use of the Committee on the Judiciary


      Available via the World Wide Web: http://judiciary.house.gov


                  U.S. GOVERNMENT PRINTING OFFICE
75-311                    WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  


                       COMMITTEE ON THE JUDICIARY

                      LAMAR SMITH, Texas, Chairman
F. JAMES SENSENBRENNER, Jr.,         JOHN CONYERS, Jr., Michigan
    Wisconsin                        HOWARD L. BERMAN, California
HOWARD COBLE, North Carolina         JERROLD NADLER, New York
ELTON GALLEGLY, California           ROBERT C. ``BOBBY'' SCOTT, 
BOB GOODLATTE, Virginia                  Virginia
DANIEL E. LUNGREN, California        MELVIN L. WATT, North Carolina
STEVE CHABOT, Ohio                   ZOE LOFGREN, California
DARRELL E. ISSA, California          SHEILA JACKSON LEE, Texas
MIKE PENCE, Indiana                  MAXINE WATERS, California
J. RANDY FORBES, Virginia            STEVE COHEN, Tennessee
STEVE KING, Iowa                     HENRY C. ``HANK'' JOHNSON, Jr.,
TRENT FRANKS, Arizona                  Georgia
LOUIE GOHMERT, Texas                 PEDRO R. PIERLUISI, Puerto Rico
JIM JORDAN, Ohio                     MIKE QUIGLEY, Illinois
TED POE, Texas                       JUDY CHU, California
JASON CHAFFETZ, Utah                 TED DEUTCH, Florida
TIM GRIFFIN, Arkansas                LINDA T. SANCHEZ, California
TOM MARINO, Pennsylvania             JARED POLIS, Colorado
TREY GOWDY, South Carolina
DENNIS ROSS, Florida
SANDY ADAMS, Florida
BEN QUAYLE, Arizona
MARK AMODEI, Nevada

           Richard Hertling, Staff Director and Chief Counsel
       Perry Apelbaum, Minority Staff Director and Chief Counsel
                                 ------                                

  Subcommittee on Intellectual Property, Competition, and the Internet

                   BOB GOODLATTE, Virginia, Chairman

                   BEN QUAYLE, Arizona, Vice-Chairman

F. JAMES SENSENBRENNER, Jr.,         MELVIN L. WATT, North Carolina
Wisconsin                            JOHN CONYERS, Jr., Michigan
HOWARD COBLE, North Carolina         HOWARD L. BERMAN, California
STEVE CHABOT, Ohio                   JUDY CHU, California
DARRELL E. ISSA, California          TED DEUTCH, Florida
MIKE PENCE, Indiana                  LINDA T. SANCHEZ, California
JIM JORDAN, Ohio                     JERROLD NADLER, New York
TED POE, Texas                       ZOE LOFGREN, California
JASON CHAFFETZ, Utah                 SHEILA JACKSON LEE, Texas
TIM GRIFFIN, Arkansas                MAXINE WATERS, California
TOM MARINO, Pennsylvania             HENRY C. ``HANK'' JOHNSON, Jr.,
SANDY ADAMS, Florida                   Georgia
MARK AMODEI, Nevada

                     Blaine Merritt, Chief Counsel

                   Stephanie Moore, Minority Counsel


                            C O N T E N T S

                              ----------                              

                             JULY 25, 2012

                                                                   Page

                           OPENING STATEMENTS

The Honorable Bob Goodlatte, a Representative in Congress from 
  the State of Virginia, and Chairman, Subcommittee on 
  Intellectual Property, Competition, and the Internet...........     1

The Honorable Lamar Smith, a Representative in Congress from the 
  State of Texas, and Chairman, Committee on the Judiciary.......     3

                               WITNESSES

Robert W. Holleyman, II, President and Chief Executive Officer, 
  Business Software Alliance (BSA)
  Oral Testimony.................................................     6
  Prepared Statement.............................................     8

Justin Freeman, Corporate Counsel, Rackspace US, Inc.
  Oral Testimony.................................................    15
  Prepared Statement.............................................    17

Daniel Chenok, Executive Director, Center for the Business of 
  Government, International Business Machines Corporation (IBM)
  Oral Testimony.................................................    27
  Prepared Statement.............................................    28

Daniel Castro, Senior Analyst, Information Technology and 
  Innovation Foundation (ITIF)
  Oral Testimony.................................................    33
  Prepared Statement.............................................    35

          LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING

Prepared Statement of the Honorable Melvin L. Watt, a 
  Representative in Congress from the State of North Carolina, 
  and Ranking Member, Subcommittee on Intellectual Property, 
  Competition, and the Internet..................................     2

                                APPENDIX
               Material Submitted for the Hearing Record

Letter from Robert W. Holleyman, II, President & Chief Executive 
  Officer, Business Software Alliance (BSA)......................    64

Supplemental Material submitted by Robert W. Holleyman, II, 
  President & Chief Executive Officer, Business Software Alliance 
  (BSA)..........................................................    67

Report by TechAmerica Foundation.................................   114

Prepared Statement of William Weber, General Counsel, Cbeyond, 
  Inc............................................................   149
                        OFFICIAL HEARING RECORD
      Material Submitted for the Hearing Record but not Reprinted

111th Congress hearing entitled ECPA Reform and the Revolution in Cloud 
    Computing, September 23, 2010, Subcommittee on the Constitution, 
    Civil Rights, and Civil Liberties, Committee on the Judiciary, 
    submitted by the Honorable Melvin L. Watt, a Representative in 
    Congress from the State of North Carolina, and Ranking Member, 
    Subcommittee on Intellectual Property, Competition, and the 
    Internet. The hearing is not reprinted in this record but is 
    available at the Committee and can be accessed at:

    http://judiciary.house.gov/hearings/printers/111th/111-149--
58409.PDF.


 CLOUD COMPUTING: AN OVERVIEW OF THE TECHNOLOGY AND THE ISSUES FACING 
                          AMERICAN INNOVATORS

                              ----------                              


                        WEDNESDAY, JULY 25, 2012

              House of Representatives,    
         Subcommittee on Intellectual Property,    
                     Competition, and the Internet,
                                Committee on the Judiciary,
                                                    Washington, DC.

    The Subcommittee met, pursuant to call, at 12:10 p.m., in 
room 2141, Rayburn Office Building, the Honorable Bob Goodlatte 
(Chairman of the Subcommittee) presiding.
    Present: Representatives Goodlatte, Smith, Marino, Watt, 
Nadler, and Lofgren.
    Staff present: (Majority) Vishal Amin, Counsel; Olivia Lee, 
Clerk; and (Minority) Stephanie Moore, Subcommittee Chief 
Counsel.
    Mr. Goodlatte. Good afternoon. The Subcommittee of 
Intellectual Property, Competition, and the Internet will come 
to order. And I will recognize myself for an opening statement.
    Today we are holding a hearing on cloud computing. Cloud 
computing represents a fundamental shift in the delivery of 
services, software, and data storage. The move toward cloud 
services helps lower the barriers to entry and democratizes 
access to technology for small- and medium-sized businesses.
    Companies no longer need to purchase or build server farms 
or have an IT team to deal with security issues and hardware 
malfunctions. The cloud brings together reduced costs, device 
and location independence, reliability, scalability, security, 
and performance.
    But with new technology come new issues that deal with 
security, privacy, and market access. As more software becomes 
cloud or Internet-based, cybersecurity and privacy issues 
become intertwined.
    To set the stage for today's hearing, we have witnesses 
that can speak to the key service areas of cloud computing. 
These include infrastructure, platform, and software. 
Infrastructure as a service refers to storage where companies 
offer dedicated or share servers to customers to store their 
information. Platform as a service means that a company is 
delivering an operating system that allows others to build new 
apps on top of their system. The third flavor of cloud refers 
to software as a service. Here the software is installed in the 
cloud, eliminating the need for physical copies of software. 
Updates occur seamlessly, and customers access the software 
through the Internet.
    But apart from the overall technology, there are issues 
that companies in this industry are concerned about, and there 
are issues that our customers are concerned about. In the 
market access arena, cloud companies need to be able to operate 
globally, and restrictions placed on cloud providers in 
particular countries can effectively limit market access and 
prevent services from being delivered to and adopted by 
consumers.
    There are also issues dealing with international 
operability. As cloud computing services take hold, it is 
important for there to be clear rules of the road when it comes 
to industry standards and international rules. Cloud companies 
and customers also have a strong interest in ensuring that the 
privacy and security of the data stored and used on their 
systems is secure.
    For consumers, it means they want to know how their 
personal information is being used and protected. For 
companies, the concern is on security, ensuring that company 
trade secrets and business information is adequately protected 
and easily accessible in the cloud.
    I look forward to hearing from all of our witnesses on 
these and other issues that they are seeing, and also engage in 
a discussion on the issues that cloud computing faces going 
forward. We need to ensure that as this new American technology 
sector grows, it is able to compete on a level playing field 
abroad and to promote U.S. innovation technology and jobs.
    And with that, it is my pleasure to recognize the Ranking 
Member, the gentleman from North Carolina, Mr. Watt.
    Mr. Watt. Thank you, Mr. Chairman, and I think the Chairman 
has sufficiently outlined the range of issues that are, I 
think, important to this hearing. It is an important hearing 
about things in the cloud, which some people say that is where 
I always am. So I want to figure out what is going on up there.
    I think I will just submit my statement for the record. I 
will have some questions about how we can incentivize 
competition in the cloud. But except for that, I think the 
Chairman has outlined the issues. So I will submit my statement 
for the record.
    I know we have got a very short time window that we are 
operating in, and I think hearing the witnesses is a lot more 
important than hearing me. So I will yield back.
    Mr. Goodlatte. I thank the gentleman, and without 
objection, his entire statement will be made a part of the 
record.
    [The prepared statement of Mr. Watt follows:]

Prepared Statement of the Honorable Melvin L. Watt, a Representative in 
    Congress from the State of North Carolina, and Ranking Member, 
  Subcommittee on Intellectual Property, Competition, and the Internet

    Thank you, Mr. Goodlatte.
    I will be brief. This hearing promises to cover a full range of 
issues involved with cloud computing. For many consumers, migration to 
the cloud has been driven by fast broadband connections, low-cost 
mobile devices and a mobile population that expects access to data and 
applications anywhere and anytime. This generation has become 
accustomed to the luxury of never having to delete an e-mail or 
document because of the ``unlimited'' and safe storage capabilities 
cloud computing affords. Organizations, including start-ups, are also 
embracing cloud computing because of the flexibility and agility it 
provides. A business, for example, can scale up or down its information 
technology ``IT'' usage according to demand with no long term 
commitments and no high imbedded costs.
    These extraordinary benefits to companies and individuals alike 
also come with increased concerns about reliability, security and 
privacy. The power outages earlier this month at Amazon's Web Services 
datacenter in North Virginia due to fierce thunderstorms throughout the 
Mid-Atlantic region of the U.S. raise lingering concerns about the 
reliability of cloud services. Two weeks later, the District's Metro 
subway system experienced a mysterious software failure that has been 
widely subject to speculation that its data center was hacked. As the 
migration to the cloud continues, companies must take care to ensure 
the security of their systems on several levels.
    There are multiple layers of privacy concerns as well. Although I 
am sympathetic to the barriers companies are facing internationally due 
to other countries' perceptions of our privacy laws, I am more 
concerned with the consumer's right to privacy within the cloud. While 
I continue to believe that consumer privacy is paramount, the cloud 
offers new and innovative ways for the technologically savvy criminal 
to exploit the cloud for nefarious purposes. The ``Backpage'' 
prostitution scandal with Craigslist is just one example. The cloud 
must develop with caution to ensure that illegality does not flourish 
within the cloud, and Congress should update the Electronic 
Communications Protection Act (ECPA) to provide clear guidance on when 
and how law enforcement is entitled to access otherwise private data 
and communications.
    Finally, one area that I do not think has been given enough 
attention is competition in the cloud computing industry. Although news 
accounts suggest that competition is currently robust, there are 
concerns that it may be changing. I am interested in hearing more in 
this area--how we ensure continued competition and lower costs to 
businesses and consumers.
    With that, Mr. Chairman, I yield back.
                               __________

    Mr. Goodlatte. And it is now my pleasure to recognize the 
Chairman of the Judiciary Committee, the gentleman from Texas, 
Mr. Smith.
    Mr. Smith. Thank you, Mr. Chairman. I just want to point 
out to those who are present that I believe this is the first 
time this Subcommittee or any Committee has had a hearing on 
this particular subject. And I think that, Mr. Chairman, that 
is to your credit. This is an important subject and an 
important area of tech that is going to do nothing but increase 
in the future.
    I have a short opening statement, and then we will get on 
to the panelists.
    America's economic success has been built on innovation. 
Cloud computing can transform everything from business 
operations, data storage, and analysis to the delivery of 
software and services to businesses and consumers alike. The 
cloud industry is growing rapidly. Wall Street Journal reported 
that technology cloud services worldwide had $16 billion in 
revenue in 2009, and cloud service revenue is expected to 
double this year and hit $73 billion by 2015.
    Because cloud providers can offer more robust data services 
at a lower cost than would be possible for a company to 
replicate for itself, the move to the cloud will help companies 
reduce information technology costs and add to their technical 
capabilities.
    But as these new technologies and products develop, it is 
clear that certain foreign governments have taken steps to 
disadvantage American cloud companies by imposing barriers to 
market access. Some of the barriers include restrictive 
regulations or policies that mandate the use of certain 
technologies or require a cloud service to be placed in country 
as a condition of doing business.
    Cloud computing relies on the seamless flow of data across 
borders and international interoperability. Unfortunately, some 
countries have adopted rules that limit the specific types of 
data that can leave their borders, and have put in place 
restrictive regulatory frameworks.
    Some countries also have spread deliberate misinformation 
about U.S. laws, like the PATRIOT Act, saying that it 
negatively affects the security and privacy protections that 
U.S. cloud providers offer compared to European providers. 
These actions hurt the competitiveness of American companies 
and cost Americans jobs.
    Today's witness panel represents a range of cloud services, 
and I am pleased that Rackspace is here today. They are a San 
Antonio, Texas-based company that has operations throughout the 
world. Founded in the late 1990's, Rackspace now has nearly 
half of the Fortune 100 as clients. They provide cloud 
computing services for computing, cloud files for storage, and 
cloud applications for e-mail collaboration and file backups. 
They also manage web-based IT systems for small-, medium-, and 
large-sized business, and offers scalable services depending on 
its customers' needs.
    Though the technology of cloud computing is new, the issues 
are not. As the U.S. government develops domestic policies and 
our policies with our international trading partners, we need 
to ensure that American innovators are treated fairly.
    Thank you, Mr. Chairman, and I will yield back.
    Mr. Goodlatte. I thank the Chairman.
    Mr. Watt. Mr. Chairman?
    Mr. Goodlatte. The gentleman from North Carolina is 
recognized.
    Mr. Watt. I just wanted to make one minor correction to 
what Chairman Smith said. There was a hearing on Electronic 
Communications Protection Act reform and cloud computing. It 
was done September 23, 2010, by Jerry Nadler's Subcommittee, 
the Subcommittee on the Constitution of this Committee. And so 
technically we have not had a hearing specifically on the 
cloud, but this was an aspect of it, so I will submit the 
record of that hearing with unanimous consent just so it will 
all be part of the record.
    Mr. Goodlatte. Without objection, the noting of the 
previous hearing in the Constitution Subcommittee will be duly 
noted.*
---------------------------------------------------------------------------
    *The hearing submitted by Mr. Watt, entitled ECPA Reform and the 
Revolution in Cloud Computing, is not reprinted in this hearing record 
but is available at the Committee and can be accessed at http://
judiciary.house.gov/hearings/printers/111th/111-149--58409.PDF.
---------------------------------------------------------------------------
    Without objection, other Members' opening statements will 
be made a part of the record.
    Mr. Smith. I said this was the first time this Subcommittee 
had had such a hearing on this----
    Mr. Watt. Or any Committee. That is where you went awry. 
But I acknowledge that technically you were probably----
    Mr. Smith. Let us not waste any more time on that.
    Mr. Goodlatte. We will be pleased to begin the first 
hearing on cloud computing of this Subcommittee by hearing from 
our witnesses. We have a very distinguished panel of witnesses 
today.
    Each of the witnesses' written statements will be entered 
into the record in its entirety, so I ask that each witness 
summarize his testimony in 5 minutes or less. To help you stay 
within that time, there is a timing light on your table. When 
the light switches from green to yellow, you will have 1 minute 
to conclude your testimony. When the light turns red, it 
signals that the witness' 5 minutes have expired.
    And as is the custom of this Subcommittee, before I 
introduce the witnesses, I would like them to stand and be 
sworn.
    [Witnesses sworn.]
    Mr. Goodlatte. Thank you very much, and please be seated.
    Our first witness is known to and a good friend of many 
Members of the Judiciary Committee, Mr. Robert Holleyman. He 
serves as the President and CEO of the Business Software 
Alliance. He has headed BSA since 1990, expanding their 
operations to more than 80 countries and launched 13 foreign 
offices in addition to their D.C. headquarters.
    Mr. Holleyman has been named one of the 50 most influential 
people in the intellectual property world by the international 
magazine Managing IP. He was also named by the Washington Post 
as one of the key players in the U.S. government's 
cybersecurity efforts for his work on behalf of industry on 
national cybersecurity policy.
    Before joining BSA, Mr. Holleyman served as counsel in the 
U.S. Senate and as an attorney with a leading law firm in 
Houston, Texas. He earned his Bachelor of Arts degree at 
Trinity University in San Antonio, Texas, and his Juris Doctor 
from Louisiana State University Law Center in Baton Rouge. He 
also completed the Executive Management Program at the Stamford 
Graduate School of Business.
    And it is my pleasure to turn to the Chairman of the 
Committee on the Judiciary, Mr. Smith, to recognize and 
introduce our second witness.
    Mr. Smith. Thank you again, Mr. Chairman. I am happy to 
introduce Mr. Justin Freeman, Corporate Counsel of Rackspace 
Hosting based in San Antonio.
    Rackspace, founded in 1998, has grown into a multinational 
company with operations spanning the globe. They provide cloud 
computing services and manage web-based IT systems for 
businesses of all sizes.
    Mr. Freeman is part of Rackspace's legal team and deals 
primarily with the rapidly expanding field of cloud computing. 
He represents Rackspace in technically complex enterprise 
transaction agreements, leads product review and development 
efforts, and directs public policy matters with a focus on 
cloud computing security and privacy issues. He has an 
extensive technical background, including specialization in 
network security systems and patient care, critical healthcare 
IT systems.
    Mr. Freeman received his law degree from Southern Methodist 
University School of Law and his undergraduate degree from the 
University of Texas at Austin. We are pleased he is here today 
to talk more about this important and growing sector of our 
tech economy. Welcome, Mr. Freeman.
    Mr. Goodlatte. Mr. Freeman, welcome. And, Mr. Chenok, 
welcome. Our fourth witness is--third witness is Mr. Dan 
Chenok, Executive Director of the IBM Center for the Business 
of Government. The center connects public management research 
with practice, helping executives improve the effectiveness of 
government with practical ideas, which has included several 
center reports that address cloud computing.
    Mr. Chenok also serves as the Chair of the Federal 
Information Security and Advisory Board, which has explored 
numerous issues where security and privacy intersect with cloud 
computing.
    Before joining IBM, he was a Senior Vice President for 
Civilian Operations with Pragmatics. He also served in the 
Office of Management and Budget, in the Executive Office of the 
President, as the Branch Chief for Information Policy and 
Technology. Mr. Chenok left the government in 2003.
    He received his Master of Public Policy from Harvard 
University John F. Kennedy School of Government and his B.A. 
from Columbia University.
    Our fourth witness is Mr. Daniel Castro, Senior Analyst at 
the Information Technology and Innovation Foundation, ITIF. Mr. 
Castro specializes in IT policy, including issues relating to 
data privacy, e-commerce, e-government, and information 
security and accessibility. Before joining ITIF, Mr. Castro 
worked as an IT analyst at the Government Accountability 
Office, GAO, and was a Visiting Scientist at the Software 
Engineering Institute in Pittsburgh, Pennsylvania.
    Mr. Castro received his B.S. in Foreign Service from 
Georgetown University and an M.S. in Information Security 
Technology and Management from Carnegie Mellon University.
    Welcome to you all, and we will begin with Mr. Holleyman.

   TESTIMONY OF ROBERT W. HOLLEYMAN, II, PRESIDENT AND CHIEF 
      EXECUTIVE OFFICER, BUSINESS SOFTWARE ALLIANCE (BSA)

    Mr. Holleyman. Chairman Goodlatte, Ranking Member Watt, 
Chairman Smith, thanks to companies like those who are in the 
Business Software Alliance and sitting here at this table, 
America is the top player in cloud computing. But we better 
watch out. Other countries are doing everything they can to 
knock us off the block.
    They have seen the forecasts that we all have seen. Public 
IT cloud revenue, which exceeded $28 billion last year, will 
grow to more than $73 billion by 2015. But the big thing that 
is happening is the innovation enabled by the cloud. A recent 
study found that cloud-driven innovation across all sectors 
will generate more than a trillion dollars in revenue and 
millions of jobs in the years ahead.
    Because the stakes are so high, and because of U.S. cloud 
companies' early leadership, some countries are taking policy 
steps to shut us out of their markets. The stakes of this are 
enormous, and if we want to get things right and to continue 
leading in the cloud, there is an urgent need for Congress and 
the Administration to forge an open and competitive global 
landscape.
    I would like to cover three things today: first, the scope 
of the problem, second, the mix of public policies that are 
needed to address it, and, third, some specific things that 
this Committee can do.
    The problem before us is unfolding around the world. As was 
indicated in my introduction, BSA has 13 foreign offices, and 
we have done a lot of on-the-ground work and two ground-
breaking studies about the cloud. One is a global ``Cloud 
Scorecard'' that looks at 80 percent of the global ICT market 
and ranks the competitiveness and a host of factors that affect 
the U.S. and other countries, and the ability of companies to 
succeed in the cloud. And the second is ``Lockout,'' which is a 
report about a new wave of IT barriers that are being erected 
internationally.
    Our research shows that governments in many countries are 
doing things to carve the cloud up into country-sized pieces so 
that local players can dominate their own backyards without 
competition. For example, in the name of privacy and security, 
we are seeing some countries require data to be hosted inside 
their borders, even non-sensitive commercial information. You 
would have to build a local data center to do business in some 
of these countries, and that could put a prohibitive burden on 
international cloud players.
    Some countries are even adopting rules that would 
explicitly prevent the transfer of personal information outside 
their borders. Now these are bad signs for the global economy, 
but especially for America since we are so heavily dependent on 
selling products and services overseas.
    It is critical for Congress and the Administration to show 
the world a better mix of cloud policies. And we can do that by 
getting three things right. First, we need to ensure that 
privacy and security rules protect consumers while also 
encouraging robust digital commerce. Second, we need to promote 
a free trade agenda that ensures that data can flow across 
borders. And third, we need to promote innovation in the cloud 
the same way we promote it everywhere else. That means 
protecting innovators' rights when they bring new products to 
market, and it means stopping all forms of cybercrime and 
theft.
    This Committee has an important role to play in this issue. 
For example, there is a myth that cloud computing puts an end 
to software piracy. In reality, piracy is evolving. This 
Committee can ensure that we have tools to vigorously enforce 
laws against IP theft no matter where that technology or how 
that technology is used. Secondly, this Committee can take a 
lead role in reforming the Electronic Communications Privacy 
Act, ECPA. In the cloud era, digital files should be subject to 
the same laws and protections as paper files. And finally, we 
need to dispel myths about the PATRIOT Act. Foreign governments 
are scaring customers away from U.S. cloud services by 
portraying our law as unusually invasive. The fact is every 
government has authority to access data to protect national 
security, and everyone needs to understand that.
    We look forward to discussing these issues with you and to 
working with the Committee. The future of the cloud computing 
industry and American leadership depends on your work. Thank 
you.
    [The prepared statement of Mr. Holleyman follows:]

    
    
    
    
    
    
    
    
    
    
    
    
    
    

------------
See Appendix for the attachments submitted with this statement.


                               __________
    Mr. Goodlatte. Thank you, Mr. Holleyman.
    Mr. Freeman, welcome.

 TESTIMONY OF JUSTIN FREEMAN, CORPORATE COUNSEL, RACKSPACE US, 
                              INC.

    Mr. Freeman. Thank you, Mr. Chairman. On behalf of both 
myself and Rackspace, I would like to express my appreciation 
for the time of this Committee and the opportunity to provide 
some additional insight into the key elements of cloud 
computing, and address some of the primary challenges of the 
competitiveness of American cloud providers.
    Congressman Smith, I appreciate your introduction of 
Rackspace.
    With our focus on fanatical support, which is a fierce 
commitment to a customer-oriented set of core values, Rackspace 
has grown rapidly and now serves more than 170,000 customers in 
120 countries, including most global Fortune 100 companies.
    Rackspace focuses on providing the cloud infrastructure and 
support technologies that enable the modern economy to benefit 
from the cost savings that cloud computing provides. Our latest 
focus is open stack, which is an open source cloud platform 
jointly developed with NASA. Open cloud technologies are the 
forefront of the cloud technology revolution. By fostering 
industry standards for cloud computing, which span multiple 
providers, open technologies advance security and help 
eliminate proprietary lock-in, which would be a requirement 
that cloud applications be tied to a specific provider, 
permitting cloud users to move their applications and data from 
provider to provider as they see fit.
    While the phrase ``the cloud'' encompasses a set of 
technologies, services, and use cases, far too broad to go into 
detail here, I want to provide you with a sense of the critical 
elements of cloud computing. At its most basic, cloud computing 
is simply the use of remote computing resources, relying on the 
storage and processing capabilities of a remote system rather 
than, say, your local laptop.
    We have all been using the cloud in some fashion for quite 
a while. Whenever we store e-mails with a web service like 
Gmail or Hotmail, we are essentially ceding control of that 
data to the cloud.
    One of the most critical impacts of the cloud is of the 
shift to using remote shared resources, permits businesses to 
consume information technology in a utility or a pay-for-what-
you-use model. This cost-effective delivery method makes 
information technology resources scalable, dynamic, and 
flexible, in turn driving efficiency and innovation across all 
sectors of the economy.
    In order to continue promoting the resulting economic 
growth, it is essential we establish a supportive legal and 
regulatory environment, which is alignment with the critical 
cloud technologies.
    We see two major barriers to the ongoing competitiveness of 
American cloud providers: market access issues, which were 
substantially informed by privacy concerns, and the 
exploitation of the U.S. patent system by patent trolls.
    Concerns about privacy and security of data have become 
heightened as businesses hand off their data to systems in the 
cloud. And they are a major barrier to the competitiveness of 
American cloud companies internationally. Concerns about data 
privacy limits, the willingness of foreign companies to do 
business with United States firms, and threatening to exclude 
American companies from competing abroad.
    The lack of international privacy standards is a growing 
source of distrust amongst regulatory agencies seeking to 
enforce their domestic laws, and businesses struggling to 
ensure their compliance. There is a perception, even if 
unfounded, that U.S. privacy protections are insufficient to 
protect the data which is stored either on U.S. soil or with 
U.S. companies. This concern results in a reluctance by foreign 
companies to do business with U.S. cloud companies, and we 
increasingly see regulatory authorities, especially in the EU 
and European economic area, moving in the direction of denying 
U.S. cloud providers access to the European market.
    It is critical to the ongoing competitiveness of American 
cloud companies that we take the lead and move toward to a 
consistent international privacy and data transfer framework 
while also providing clear interpretation of U.S. law which 
impact the obligations of cloud companies at managing the data 
of foreign citizens and businesses.
    The second major threat to U.S. cloud providers is the 
exploitation of the patent system by so-called patent trolls. 
These are non-practicing entities which gather portfolios of 
patents with the sole intent of using them to extract 
settlements from companies unwilling to engage in expensive and 
protractive litigation.
    These patent trolls are not protecting inventors or 
benefitting startups. To the contrary, a recent study 
calculated that their predatory tactics have resulted in the 
direct costs in excess of $29 billion to the industry, with 
approximately 40 percent of those costs formed by small and 
medium businesses.
    Patent litigation costs routinely exceed $2 to $3 million 
per suit, and patent trolls seek settlement after settlement in 
order to artificially increase the value of a patent portfolio 
without any relation to its actual market value. The result is 
a cascading extortionist abuse of the patent system.
    Cloud technologies are advancements to existing information 
technologies and require a fair and balanced patent system in 
order to remain innovative. Cloud and open technology standards 
cannot survive in this environment. It is essential that we 
protect the growing use of standardized cloud technologies, the 
benefits they bring, and allow cloud companies to reinvest in 
technologies, jobs, and innovation instead of revenue draining 
litigation.
    We at Rackspace share your commitment toward creating 
successful legislation that enhances U.S. business 
competitiveness, while ensuring the Internet remains a free and 
open driver of innovation for our long-term future.
    Thank you for your time. We look forward to working closely 
with you.
    [The prepared statement of Mr. Freeman follows:]

    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
                               __________

    Mr. Goodlatte. Thank you, Mr. Freeman.
    Mr. Chenok, welcome.

TESTIMONY OF DANIEL CHENOK, EXECUTIVE DIRECTOR, CENTER FOR THE 
    BUSINESS OF GOVERNMENT, INTERNATIONAL BUSINESS MACHINES 
                       CORPORATION (IBM)

    Mr. Chenok. Thank you, Chairman Goodlatte, Ranking Member 
Watt, Chairman Smith, and the entire Subcommittee.
    Mr. Goodlatte. You may want to turn your microphone on 
there and pull it close.
    Mr. Chenok. Will do. Thank you, Chairman Goodlatte, Ranking 
Member Watt, Chairman Smith, and the Subcommittee for the 
opportunity to speak today. And thank you for the introduction 
earlier.
    I am Dan Chenok, Executive Director of the IBM Center for 
the Business of Government. The center helps government 
executives improve the effectiveness of their agencies and 
programs and has addressed cloud computing from a number of 
perspectives over the past few years. My testimony today draws 
on this and other experience with the growth of cloud 
computing.
    Moving the cloud brings numerous demonstrable and positive 
outcomes, such as cost savings, shared resources, increased 
program effectiveness, energy and environmental improvements, 
and, as others have noted today, innovation.
    I will focus today on three key issues that we see cloud 
can best be leveraged now and in the future. First, how to 
implement cloud efficiently, second, how best to address 
security, and third, how to leverage the cloud's global model 
effectively.
    The key for success with cloud implementation is a strategy 
to define how to increase efficiency, save costs, and improve 
performance of programs in the cloud. A small investment in up 
front planning can pay large dividends in measured outcomes 
from any cloud migration because most entities integrate cloud 
into their existing legacy environments. They must make choices 
as to what technologies, processes, and data should migrate to 
the cloud over what period of time and at what cost.
    I would note that the Federal Government has already begun 
to realize the benefits of cloud computing. Movement to the 
cloud can fundamentally transfer how Federal agencies leverage 
IT. And 
efforts such as the OMB cloud strategy and GSA FedRAMP 
initiatives are spurring progress. Our center has produced 
papers 
on cloud implementation available at our website, 
www.businessof
government.org.
    With respect to security, despite perceived concerns about 
security risks, cloud can provide for an environment that is 
superior for applying many critical security measures. 
Centralizing data storage and governance in the cloud can 
actually provide better security at a lower cost than is the 
case with traditional computing environments.
    Moreover, cloud can improve certain key security practices, 
such as detection of threats, remediation to minimize those 
threats, prediction of where threats may occur next, and 
protection of data and devices.
    Regarding the global model, the benefits of cloud computing 
increase when providers can move computing and data power to 
locations that are most cost-effective rapidly and with no loss 
of service quality or security. Real time movement of computing 
resources points out the need to understand, as others have 
noted today, issues involved in cross-border data flows in the 
cloud. Most issues in this space are best addressed via 
contracts between parties who can designate jurisdiction and 
establish clear provisions for ownership, privacy, and 
security.
    I would like to highlight several issues that impact the 
cloud's global nature. These areas are the extent to which 
government can access data across borders, international 
privacy collaboration, and open standards.
    The extent to which government can access data across 
borders can be a subject of confusion among cloud providers and 
users. However, as has been indicated today, many nations have 
similar domestic data policies. A recent white paper from the 
law firm Hogan Lovells found that each of the 10 countries 
studied vests authority in the government to require a cloud 
service provider to disclose customer data in certain 
situations. And in most instances, this authority enables the 
government to access data physically stored outside the 
country's borders.
    And as Chairman Smith indicated in his opening remarks, 
this study also indicated that in a number of cases, 
protections from government intrusion in the U.S. were actually 
greater than in other countries.
    Regardless of jurisdiction, individuals whose data resides 
in the cloud will have greatest confidence if, to the extent 
permissible under law, they do not lose protection solely based 
on where their data is stored and processed.
    Cloud computing would also benefit from an international 
regime that promotes privacy and supports efficiency cross-
border data flows. While complete harmonization of rules is not 
practical or desirable, countries may be able to recognize each 
other's rules, including privacy safeguards.
    Finally, the benefits of cloud can best be achieved by 
reliance on open standards that promote data portability and 
interoperability, which are critical for successful adoption 
and delivery of cloud-based solutions. An open standards 
approach would also help to address location-based mandates. 
While certain practices by governments to locally-sourced cloud 
computing may be understandable, governments could enhance the 
cloud's efficiency and cost-effectiveness by avoiding local 
mandates and leveraging and encouraging an open global model.
    Chairman Goodlatte, Ranking Member Watt, Chairman Smith, 
the Subcommittee, thank you for the opportunity, and I welcome 
any questions.
    [The prepared statement of Mr. Chenok follows:]

       Prepared Statement of Daniel Chenok, Executive Director, 
               Center for The Business of Government, IBM

    Good afternoon, and thank you Chairman Goodlatte, Ranking Member 
Watt, and the entire Subcommittee for the opportunity to speak with you 
about cloud computing.
    I am Dan Chenok, Executive Director of the Center for The Business 
of Government at IBM. The Center connects public management research 
with practice. Since 1998, we have helped public sector executives 
improve the effectiveness of government with practical ideas and 
original thinking. We sponsor independent research from the academic 
and non-profit sectors, and we create opportunities for dialogue on a 
broad range of public management topics. The Center has addressed cloud 
computing from a number of perspectives over the past few years.
    I also serve as Chair of the Information Security and Privacy 
Advisory Board, which is the chartered under the Federal Information 
Security Management Act (FISMA) to advise the government about 
information security and privacy issues affecting civilian Federal 
agencies, and has addressed security and privacy issues involved in 
cloud computing.
    My testimony today draws on this and other experience that I have 
had with the growth of cloud computing, primarily with respect to how 
government can best promote the efficient, secure, and cost-effective 
use of this technology. After addressing context and benefits, I will 
focus on three key issues that impact how cloud can best be leveraged, 
now and in the future.

                                CONTEXT

    Many descriptions of cloud computing are cited across government 
and industry, including a formal definition from the National Institute 
of Standards and Technology (NIST). I would offer that the cloud 
includes environments where physically distributed computing 
resources--including infrastructure, applications, or databases--
connect in real time to help a company, consumer, or government agency 
perform a transaction, service, or inquiry.
    Cloud services can be provided over the public Internet, but can 
also be done through connections over networks that run independently. 
Government agencies often establish clouds independent of the open 
Internet due to perceived risks of making data available over public 
channels--but the government is moving in the direction of more use of 
the open Internet for cloud as well.
    Indeed, whether consumers, companies, and governments realize it, 
they are already in the cloud all the time. Many popular email 
services, including Gmail, Hotmail and Yahoo, function over the 
distributed networks that constitute the cloud, and provide access to 
millions of people. Businesses and governments are increasingly using 
the cloud for email as well.

                         BENEFITS OF THE CLOUD

    Cloud computing is much in the news and lexicon these days. 
Questions about the cloud include: does cloud help end users, will 
cloud help businesses and federal agencies carry out their mission, and 
will cloud reduce costs? The answer to all of these questions is 
``yes.''
    Moving to the cloud brings numerous demonstrable benefits:

      Cost Saving. Cloud computing allows customers to pay for 
just the computer resources that they use. They can avoid both a large 
initial upfront expenditure in hardware and software, and ongoing 
operating and maintenance expenses 
for their own IT. Resource usage can be monitored, controlled, and 
reported 
in a transparent way for both the provider and consumer of the cloud 
service. Indeed, a Brookings Institution study found that ``. . . 
agencies generally saw between 25 and 50 percent savings in moving to 
the cloud;'' this same report refers to other studies which claim 
savings from 39% to 99%. (http://www.brookings.edu//media/research/
files/papers/2010/4/07%20cloud%20
computing%20west/0407_cloud_computing_west)

      Increased Effectiveness. Network outages are an ongoing 
challenge for IT departments. Cloud computing can offer a higher level 
of service and reliability, reduce the harm that can come from network 
outages, and provide for a more immediate response to emergency 
situations by enabling real-time transfer of IT services to areas that 
are not affected by emergency.

      Optimized Computing Usage. IT service providers see cloud 
computing not only as a means to better serve their customers, but also 
to optimize data center usage. In many centers, only a small fraction 
of computing capacity is used at any time; the remaining capacity sits 
idle. Cloud enables flexible scaling across customers based on demand, 
which increases capacity and cost-effectiveness.

      Energy and Environmental Improvements. While most 
computers and servers are certified as energy efficient, cloud takes 
green computing one step further--decreasing electricity use, slashing 
carbon emissions, and reducing IT costs through cost-effective use of 
computer and network infrastructure. Cloud also opens avenues for 
telecommuting (e.g., through internet-based email), which brings added 
environmental benefits.

      Innovation and Transformation. Cloud computing can help 
to spur innovation and transform operations. In the next several years, 
andthe use of the cloud to pave the way for for business model 
innovation is likely to increase significantly--innovation that 
includes entering new lines of business, reshaping an existing 
industry, or transitioning into a new business role.

    In addition, and as has been noted by both the current and previous 
Federal Chief Information Officers at the Office of Management and 
Budget (OMB), Federal computer users have lagged behind industry in IT 
productivity gains from IT, with outdated applications and burdensome 
rules governing acquisition and management of IT services. Movement to 
the cloud can fundamentally transform how federal agencies leverage IT, 
and to make federal workers far more effective in their use of IT.
    The Federal government has, of course, already begun to realize the 
benefits of cloud computing. Examples include:

      the development and implementation of governmentwide and 
specific cloud strategies from OMB and agencies,

      the recent introduction of the General Services Agency 
(GSA) Federal Risk and Authorization Management Program (FedRAMP) 
program that fosters interoperability in cloud services across 
agencies. Indeed, other governments are studying FedRAMP's 
implementation closely to possibly emulate the model; and

      work by the National Institute of Standards and 
Technology (NIST) to clarify and guidance on the cloud.

                       KEY ISSUES FOR DISCUSSION

    Today, I would like discuss three main challenges for government in 
order to realize the full benefits of the cloud:

      how to implement cloud efficiently,

      how best to address security in the cloud, and

      how to leverage the cloud's global model effectively.

Implementation
    Key for success in any cloud implementation is a strategy to define 
how to increase efficiency, save costs, and improve performance of 
programs in the cloud. A small investment in upfront planning can pay 
large dividends in measured outcomes from any cloud migration. This is 
especially important because most entities do not build brand new 
computing environments where all activities operate in the cloud. 
Rather, they integrate cloud-based infrastructure, applications, and 
services into existing legacy environments, and must make choices as to 
what technologies, processes, and data should migrate to the cloud, 
over what period of time, and at what cost. To guide those choices, 
organizations need a sound up-front strategy that considers investments 
relative to resource availability and mission objectives.
    The IBM Center for the Business of Government has produced a number 
of papers that address cloud implementation, especially in the Public 
Sector. For example:

      In a 2009 report for the Center, ``Moving to the Cloud: 
An Introduction to Cloud Computing in Government,'' David Wyld provides 
non-technical executives with a roadmap to understand key questions to 
ask as their organizations move to the cloud. He frames key challenges 
facing government leaders in the space, including scalability, 
security, open standards, procurement, and legal issues.

      In 2010, author Costas Panagopoulos wrote in our semi-
annual journal, The Business of Government, about the lessons learned 
in cloud implementation by the Census Bureau (``Counting on the Cloud: 
Early Reflections on the Adoption of Cloud Computing by the U.S. Census 
Bureau''). He outlines key lessons that include the need to start early 
in cloud design, to partner with other adopters, and to correct 
problems as soon as they arise.

      Many perspectives on how best to implement cloud appear 
on our blog site, concentrated primarily in ``Strategies to Cut Costs 
and Improve Performance.'' (http://www.businessofgovernment.org/blogs/
cut-costs-and-improve-performance)

    In addition, much research and experience demonstrates that to 
maximize the cloud's benefits, organizations must move aggressively to 
adopt more standardized offerings across organizations. That is, they 
must change current technology, procurement, and business processes to 
conform to best commercial practice, rather than modifying the cloud to 
fit existing organizational processes. Standardized offerings provide 
economies of scale and allow providers to automate processes that 
result in lower costs for users.
    In addition, while savings can be achieved by migrating current 
applications, not all existing applications can run in a cloud 
efficiently. Organizations can collect data on how applications are 
being used to make informed decisions about which applications to 
migrate to the cloud, and in what order. This data can also help to 
sunset unneeded applications and optimize IT more efficiently and 
effectively.
    Finally, cloud implementation can enable innovation. Developers who 
come together over cloud-based platforms that rely on open standards 
can share ideas and test approaches in ways that take advantage of the 
wisdom of many, rather than the few who work on a custom application.

Security
    Relinquishing direct control of the IT infrastructure by adopting 
the cloud has raised perceived concerns about security risks. Cloud 
computing, however, can provide for an environment that is inherently 
superior for applying many critical security measures. By centralizing 
data storage and governance, clouds can actually provide better 
security at a lower cost than can traditional computing environments. 
Cloud environments can also provide differentiated levels of security, 
reflecting the fact that some data requires a great deal of protection 
while other data requires far less. Cloud providers can work with their 
customers to deliver security efficiently and effectively based on 
different levels of risk--security services can be built into the cloud 
up front to optimize protection at a given risk level.
    Moreover, by facilitating uniform management practices across a 
distributed computing environment, cloud can improve certain key 
security practices, such as:

      Detection--the cloud creates the ability to link together 
millions of security nodes on the net. By working together, these nodes 
can better detect new threats how to implement cloud efficiently.

      Remediation--Quick remediation is vital for cyber 
security--the less time the malware is present, the better the 
protection. The cloud allows implementation much more rapidly than the 
older model of having to load the solution onto multiple machines.

      Prediction--Increasingly, cyber security focuses on 
limiting the ability of bad actors to act in the first place. The cloud 
helps security teams to identify machines that create and disseminate 
malware, and to quickly isolate those machines--blocking their ability 
to infect customer systems.

      Data and Device Protection--A significant security 
threat, and one that has impacted the Federal government, is breach of 
data, especially from lost or stolen laptops or mobile devices. Cloud 
provides for centrally stored data with continuous and automated 
network analysis and protection, so that if a device is lost, the data 
and applications are not lost with it (unless the user has been allowed 
to load them separately onto the device).

    As noted earlier, I also Chair the Federal Information Security and 
Privacy Advisory Board (ISPAB). Building off a Board-hosted forum on 
best practices in this space several years ago, the ISPAB has 
highlighted numerous ways that the Federal government can best 
addresses security in the cloud, especially with regard to the 
operation of the FedRAMP program and the monitoring of traffic that 
flows in and out of agencies over cloud-based applications (see more at 
http://csrc.nist.gov/groups/SMA/ispab).

Global Model
    The cloud can be either localized or global in nature. The benefits 
of cloud computing increase, however, when providers can move computing 
and data power to locations that are most cost-effective, rapidly and 
with no loss of service quality or security. For example, consider the 
recent storm and power outages in Washington, DC--in a situation like 
this, using a cloud that allows the online relocation of computing 
resources would provide continuity of service far more quickly and 
cheaply than a platform restricted to local computing locations.
    Real-time movement of computing resources points out the need to 
understand issues involved in cross-border data flows in the cloud. Of 
course, data has moved across borders for decades--airlines, 
pharmaceuticals, telecommunications, and technology companies are among 
those with long history here. The cloud has amplified attention to 
cross-border data flow issues such data sovereignty and jurisdictional 
questions. Most of these issues are best addressed via contracts 
between solution providers and customers; contracts can designate 
jurisdiction and establish clear provisions for ownership, privacy, 
security, and consumer protection.
    I would like to highlight some recent findings and observations in 
three areas that affect the cloud's global nature and American 
competitiveness in this space--the extent that government can access 
data across borders, international privacy collaboration, and open 
standards.

Government Access to Data
    The extent to which governments can access data across borders is a 
subject of confusion among cloud providers and users. However, many 
nations have similar domestic data policies. A recent HoganLovells 
White Paper, ``A Global Reality: Governmental Access to Data in the 
Cloud,'' reveals that U.S. law provides some greater privacy 
protections:

        ``In jurisdictions outside the United States, there is the real 
        potential of data relating to a person, but not technically 
        ``personal data,'' stored in the Cloud being disclosed to 
        governmental authorities voluntarily, without legal process and 
        protections. In other words, governmental authorities can use 
        their ``influence'' with Cloud service providers--who, it can 
        be assumed, will be incentivized to cooperate since it is a 
        governmental authority asking--to hand over information outside 
        of any legal framework. United States law specifically protects 
        such data from access by the government outside of legal 
        process.''

    Furthermore, the paper notes that ``it is not possible to isolate 
data in the Cloud from governmental access based on the physical 
location of the Cloud service provider or its facilities. Governmental 
access to data in the Cloud is ubiquitous, and extends across 
borders.'' As the paper concludes, a detailed analysis of ten countries 
revealed that:

        ``every single country that we examined vests authority in the 
        government to require a Cloud service provider to disclose 
        customer data in certain situations, and in most instances this 
        authority enables the government to access data physically 
        stored outside the country's borders, provided there is some 
        jurisdictional hook, such as the presence of a business within 
        the country's borders. Even without that ``hook,'' MLATs allow 
        access to data across borders.'' [Governments cooperate with 
        each other through ``mutual legal assistance treaties'' 
        (MLATs)]

    Regardless of jurisdiction, individuals whose data resides in the 
cloud will have greatest confidence if, to the extent permissible under 
law, they do not lose protection solely based on where their data is 
stored and processed.

International Privacy Collaboration
    With the understanding that many nations have similar laws and that 
where a company stores its data should not reduce protections, 
consumers, enterprises, and governments can look at cloud providers' 
experience with providing security and privacy protections in order to 
make informed decisions about how to use applications in the cloud.
    In addition, cloud computing would benefit from an international 
regime that promotes privacy while supporting the efficient flow of 
data across borders. While it is neither practical nor desirable to 
seek the complete harmonization of rules, countries may be able to 
recognize each other's rules (including privacy safeguards) to the 
greatest extent possible, and to honor those rules through means such 
as contracts and service level agreements (SLAs). This approach to 
interoperability would not require the same laws in each jurisdiction, 
but it would allow data and computing transfers to take place over the 
cloud based on shared understanding of how law and policy should apply.
    Initiatives such as the US-EU safe harbor, the use of binding 
corporate rules, and the cross-border privacy initiative in APEC serve 
as building blocks for such an interoperable international privacy 
regime. The benefits of such a regime would extend beyond cloud 
computing; they would support any entity that builds data centers in 
different jurisdictions. But because cloud computing relies heavily on 
the efficiencies gained from real-time data flows across different 
countries, the adoption of an interoperable privacy regime would 
facilitate cost-effective adoption.

Open Standards
    The benefits of cloud can best be achieved by reliance on open 
standards that promote data portability and interoperability, which are 
critical for successful adoption and delivery of cloud-based solutions. 
Open standards enable users to reap value from a diversity of cloud 
providers, and to move data and applications based on a choice of 
available applications without friction. Consider the analogy to 
Internet-based computing since the 1990s: the Internet has seen 
phenomenal growth and spurred so much innovation because its networks 
dependent largely on open standards--no one company or handful of 
companies has a dominant position and can single-handedly determine its 
architecture and development.
    An open standards approach would particularly help to address the 
issue of location-based mandates. Over a dozen countries have recently 
drafted or are considering laws that would mandate in-country location 
of cloud data servers and storage facilities. The Business Roundtable 
recently released a report, ``The Growing Threat of Local Data Server 
Requirements'' (http://businessroundtable.org/uploads/studies-reports/
downloads/Global_IT_Policy_Paper_final.pdf), which provides details on 
this issue. While certain practices by governments to locally source 
cloud computing are understandable--for example, for a country's 
national security information--governments could enhance the cloud's 
efficiency and cost benefits by avoiding location mandates, and 
leveraging and encouraging an open, global model.

                               CONCLUSION

    Cloud computing has great promise to enable consumers, businesses, 
and governments to reduce IT costs and improve IT performance. Key 
considerations in leveraging the benefits of the cloud include 
implementation, security, and leveraging the efficiencies of the global 
model. Greater education, investment and appropriate incentives can 
allow government and businesses to help all stakeholders use the cloud 
most effectively.
    Chairman Goodlatte and Ranking Member Watt, thank you for the 
opportunity to speak with the Subcommittee. I welcome the chance to 
answer any questions that you may have.
                               __________

    Mr. Goodlatte. Thank you, Mr. Chenok.
    Mr. Castro, we are pleased to have your testimony.

    TESTIMONY OF DANIEL CASTRO, SENIOR ANALYST, INFORMATION 
          TECHNOLOGY AND INNOVATION FOUNDATION (ITIF)

    Mr. Castro. Thank you. Chairman Goodlatte, Ranking Member 
Watt, Chairman Smith, and Members of the Subcommittee, I 
appreciate the opportunity----
    Mr. Goodlatte. Could you put that microphone----
    Mr. Castro. There we go. Chairman Goodlatte, Ranking Member 
Watt, Chairman Smith, and Members of the Subcommittee, I 
appreciate the opportunity to discuss cloud computing with you 
today.
    I would like to focus my remarks on two principles that 
policymakers should keep in mind with regards to cloud 
computing. The first principle is cloud neutrality. Cloud 
computing is an important trend for how organizations use 
information technology, but the technology itself is not so 
different from other forms of computing that there is a need to 
create cloud specific regulations. That does not mean there are 
not important policy issues that affect cloud computing. For 
example, one important issue is addressing the complex 
jurisdictional questions that arise from having data subjects, 
data owners, and service providers under different legal 
jurisdictions and facing conflicting regulations.
    Meaningfully addressing these issues may eventually require 
countries to develop agreements on questions of jurisdiction or 
standardize some data practices, or, alternatively, advances in 
technology that allow data policies to actually bundle with 
data, and ensure that these policies are enforced may help 
resolve some of these questions.
    While all these issues are important for many cloud 
computing companies, they are not necessarily unique to the 
technology. However, creating cloud neutral policies will 
require some change to ensure that laws and regulations do not 
favor or disfavor cloud computing.
    One important step Congress can take in this direction is 
to update the laws that govern the electronic surveillance of 
data. The Electronic Communications Privacy Act was enacted in 
1986, and has not kept pace with the advancement of technology 
and the growth of cloud computing. As a result, there are 
different levels of protection afforded to the privacy of an 
individual's data depending on where and for how long the data 
has been stored. Consensus is forming around the idea that 
reform is needed in this area to protect Fourth Amendment 
rights.
    The second important principle for cloud computing is for 
policymakers to address anti-competitive foreign practices that 
challenge the dominance of cloud computing service providers in 
the United States. As a leading provider of cloud computing, 
U.S. companies stand to benefit tremendously from the large 
expected growth in cloud computing worldwide. Not surprisingly, 
other countries are aggressively challenging U.S. leadership in 
this market.
    While fair competition is legitimate, some countries are 
using unfair policies to intentionally disadvantage foreign 
competitors and grow their domestic cloud computing industry. 
The rise of cloud mercantilism is an emerging threat to the 
global trade and information technology.
    Some countries are using data security and data privacy 
regulations to create geographic restrictions on where cloud 
computing service providers can store and process data. Other 
countries have policies that explicitly require cloud computing 
service providers to operate data centers domestically. These 
requirements have the effect of making cloud computing less 
efficient since decisions about where to locate data centers or 
how to operate them must be made on political mandates rather 
than technical or economic factors.
    Localization requirements also serve as a form of 
protectionism for domestic cloud computing providers since it 
may not be economically viable for a foreign competitor to 
build a domestic data center. Examples of this type of behavior 
can be found in many countries, for example, Greece, Vietnam, 
and Brunei have all passed laws which require data generated 
within the country to be stored on servers within those 
countries. Both the Norwegian and the Danish protection 
authorities have issued rulings to prevent the use of certain 
cloud computing services when those servers were not located 
domestically. The government in Kazakhstan issued an order to 
require that all dot.kz domain names operate on servers located 
within the country. China, Russia, Venezuela, and Nigeria have 
all passed localization requirements ostensibly to protect 
national security and payment processing. And similar types of 
laws are pending in other countries, including Indonesia, 
Malaysia, and Ukraine.
    Strong U.S. leadership is necessary to combat the unfair 
trade practices that other nations are using to block foreign 
competitors in the rapidly-growing cloud computing industry. 
First, the U.S. government should clearly and definitively 
state its opposition to local data center requirements and 
highlight instances of non-compliance by foreign governments. 
For example, this type of behavior could be highlighted by the 
USTR in a Special 301 report. Second, the U.S. government 
should affirm its intention to refrain from imposing its own 
local data center requirements. These policies may be tempting, 
but they diminish the capacity of the United States to hold 
other countries accountable for similar forms of protectionism.
    The long-term goals of the U.S. government should be to 
work toward eliminating geographic restrictions on cross-border 
flows of data. U.S.-based cloud computing service providers 
have the most to lose if these type of areas become widespread. 
After all, the domestic market for cloud services is much 
smaller than the global market.
    Thank you, and I look forward to your questions.
    [The prepared statement of Mr. Castro follows:]

    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
                               __________

    Mr. Goodlatte. The Chair is going to diverge from regular 
order because the gentleman from North Carolina has some other 
obligations, and we want to recognize him first to ask his 
question. So we will turn now to him.
    Mr. Watt. I thank you, Mr. Chairman, and I thank you for 
accommodating my schedule. Unfortunately, I have got something 
that has started, and I need to be at immediately. But I did 
not want to miss the testimony or miss the opportunity to ask 
questions.
    All of the testimony was very interesting and raises some 
very, very interesting issues. It seems to be unanimity on the 
question of cloud neutrality. I take it everybody is in 
agreement on that.
    That means, I take it, that the same rules that apply to 
things outside the cloud should apply to things inside the 
cloud. Would that be a fair definition of cloud neutrality?
    Mr. Castro. Yes, I do think that is a fair definition.
    Mr. Watt. Okay. So but then you raise some interesting 
questions which, in essence, brings us back to a lot of the 
same issues that we have been dealing with outside the cloud--
protection of personal security, personal information for 
consumers, an issue outside the cloud, protection against 
trolls suing each other, although the owners of patents are 
suing each other regularly, which is a big problem, protection 
against piracy, which Mr. Holleyman raised in the context of 
the cloud, I presume to protect programs and what have you. But 
that is not unique to programs. Piracy is a problem.
    And I do not want this to devolve into another question of 
how we protect ourselves against piracy, but it does raise the 
question of whether in light of the failure of our Committee to 
be able to deal with that effectively and the withdrawal of the 
proposal that was on the table, whether any affirmative steps 
are being made by the industry to address piracy either in the 
cloud or outside the cloud. If you are going to have a neutral 
cloud neutrality and you have got problems outside the cloud, 
then we have got to commit ourselves to working on the problems 
outside the cloud so that when we adopt the principle of cloud 
neutrality, those same principles will protect us inside the 
cloud.
    So is anybody making any progress in the sector? You all 
obviously are all involved in this SOPA thing on one side or 
the other. We are not here to recreate that debate today. I 
just want to see whether you all think any progress is being 
made because if we are going to transport that issue to the 
cloud, we are going to have cloud neutrality, I think we got to 
deal with it. So, Mr. Holleyman?
    Mr. Holleyman. Mr. Watt, thank you for the observation and 
question. The point which I want to make clearly about piracy 
in the cloud is there was a common myth, and candidly, I 
probably believed this myth as recently as 2 years ago, that 
software piracy goes away when software is used in a cloud 
context, and that where you actually have piracy is with the 
physical media, but that when you shift it to the cloud, you do 
not have the problem of piracy. And, in fact, what we found is 
that the piracy evolves.
    I do think you will have less software piracy in a cloud 
context. We identified at least four ways in which it can 
occur, one of which will occur when unscrupulous hosters--
fortunately, there are none that I know of at this point, but 
they may be ones outside elsewhere----
    Mr. Watt. All right. You are identifying a set of problems 
in the cloud that are unique to the cloud, and I want to deal 
with. But that was not really my question.
    Mr. Holleyman. Okay.
    Mr. Watt. And I am running out of time.
    Mr. Holleyman. I think your question--if I understand your 
question correctly, it was saying that some of the problems 
that we currently see are simply going to be transferred into 
an environment in the cloud. So what we need is effective tools 
to deal with those, and that is going to require self-help by 
industry. And that is also going to require appropriate use of 
law enforcement resources when the piracy can be identified, 
whether it is in the cloud or outside the cloud.
    Mr. Watt. Well, my question was whether we are making any 
progress toward solving this problem outside the cloud or in 
the cloud. I guess that is the baseline question I am asking.
    Mr. Holleyman. Yeah, I think we are making some progress 
outside the cloud where piracy is bigger in reducing levels of 
piracy. I think we have seen some good cases the Justice 
Department has brought that have been helpful. We bring about 
10,000 cases a year. We are seeing piracy rates for software 
come down. What we have to make sure is that the tools that we 
need can continue to work in a cloud-based environment.
    Mr. Watt. I would just open up one other area of inquiry. I 
know my time----
    Mr. Goodlatte. Without objection, the gentleman is 
recognized for an additional minute.
    Mr. Watt. My time has expired, because it seems to me that 
this debate about whether we protect ourselves against other 
countries putting up barriers that allow hosting only in their 
countries is similar to this question of whether we do not 
prohibit call centers from going offshore.
    The question is, how do we protect ourselves, how do we 
protect our own consumers' information without those kinds of 
barriers in our own country? And if we put them up in our own 
country, does that not incentivize other countries to put them 
up there? The same thing with national security concerns. If we 
are allowing our national security apparatus access to 
information in the cloud, would it not be a legitimate concern 
for other countries to be concerned about the extent to which 
our national security apparatus would have access to their 
information in the cloud?
    I am not looking for answers necessarily to all of these 
questions, but it just seems to me from my simplistic mind that 
if we are setting up a set of neutral standards internationally 
and we are trying to get people to play by those rules, we have 
to anticipate that we have got our own set of issues we must 
deal with domestically before we can start fussing at everybody 
internationally. Am I off on the wrong cloud here, or do you 
all agree with what I am saying?
    Mr. Holleyman. I will start by saying, hey, look, I think 
we need to do both simultaneously. I mean, there are some gaps 
in U.S. law that we think need to be resolved, like the need 
for ECPA reform that would ensure some greater levels of 
privacy for data that is stored in the cloud. And that would be 
an important signal for other countries.
    And, secondly, we have to be aggressive in making sure, as 
one of my colleagues said, that we do not put rules in place 
that require all data on all U.S. citizens in all contexts to 
be held in the U.S. We do not require that now. There are some 
people who would like to do that, but if we did it, it would be 
a signal to every other country that they could do the same. So 
we have to live by that openness, but know that there are 
appropriate privacy and security regimes that will protect 
appropriate levels of data for U.S. citizens, wherever it's 
hosted.
    Mr. Watt. Mr. Chairman, I appreciate your accommodating my 
schedule. I wish I could stay for another round of questioning 
because really I came with the intention of talking more about 
competition in the cloud, and I did not ask a single question 
about competition.
    Mr. Goodlatte. If you would submit your questions for the 
record, we would be happy to submit them to all the witnesses 
and ask them to respond.
    And we appreciate the gentleman's participation. And the 
Chair now recognizes the gentleman from Texas, Chairman Smith 
for 5 minutes.
    Mr. Smith. Thank you, Mr. Chairman. I would like to try to 
see if I can squeeze in questions on the subject of patent 
trolls, privacy security, and foreign countries.
    Let me direct my first question to Mr. Freeman. You and I 
have talked about this subject, and I have talked with two 
others within Rackspace on the problem of patent trolls, and 
the frivolous lawsuits they file, and the cost to the company 
and to other companies across America.
    I think we are aware of the problem, though if you want to 
discuss it in greater detail, you are welcome to. But what do 
you think are some of the solutions to this almost exponential 
growth in lawsuits, litigation derived from these patent 
trolls?
    Mr. Freeman. Thank you, Congressman. I think two key 
mechanisms that limit the incentives that patent trolls have to 
bring actions for profit without practicing their invention or 
practicing the patent. One approach along those lines is to 
limit the potential reward from litigation to the actual value 
of the license or that the troll are acquiring entity paid for 
a patent if it is not also practicing the patent. That is a 
case where the patent troll is essentially not being harmed by 
the practice of the invention by another entity, so it should 
not essentially get an ill-gotten gain simply as a result of 
holding onto a patent in an attempt to block innovation.
    Another mechanism is to shift toward a framework where 
legal costs and responsibilities are borne more equitably 
between the two parties. A loser pays a price has been floated, 
and there are some interesting potential reforms along those 
lines. They can make it so that a patent troll has a lot or a 
litigator has a lot on the line when they file a claim for an 
infringement action.
    Mr. Smith. Okay. Good suggestions in regard to the first. I 
think we would have to probably be careful so that we would not 
apply such a reform too broadly. You cannot say it is illegal 
for someone to hold a patent just because they are not using 
it. But I understand the thrust of your reform, and I agree 
with that.
    Mr. Holleyman, on the subject of privacy, what are some of 
the privacy issues involved with cloud computing that we need 
to be aware of? And you just started getting into that a little 
bit I think in response to the question from Mr. Watt.
    Mr. Holleyman. Right. On the issue of privacy or piracy?
    Mr. Smith. Privacy.
    Mr. Holleyman. Privacy. Well, look, I think on the issue of 
privacy, one of the single biggest issues is going to be how we 
work in the context of the European Union, which is moving to 
adopt a data privacy regulation that will be unlike a 
directive. This will be mandatory across all 27 member states. 
There is sort of an 18- to 24-month process in which that is 
happening, and that is going to require a regular dialogue with 
U.S. government, both Administration and U.S. Members of 
Congress, because at the end of the day, we have to have a 
regime that preserves the safe harbor, provisions that 
currently have been negotiated between the U.S. and the EU so 
that data can be exchanged appropriately across borders. And 
that we also have to ensure that the Europeans do not adopt a 
privacy regime that is so restrictive that will have a de facto 
effect of blocking access by U.S. companies.
    Mr. Smith. And as you say, we have seen some signs of that 
already I think.
    Mr. Holleyman. Absolutely.
    Mr. Smith. Thank you. Mr. Chenok, I want to ask you about 
security issues involved with cloud computing. You touched on 
them a minute ago, but can you elaborate?
    Mr. Chenok. Yes, thank you for your question. Security in 
the cloud is----
    Mr. Smith. Is your mic on?
    Mr. Chenok. Yes, I will do that. Thank you for your 
question, Chairman Smith. Security in the cloud is not 
dissimilar to how security is handled in other forms of 
technology. You could imagine a cloud with very strong security 
protections built into the system--lots of surveillance of the 
Internet traffic coming out of the cloud, immediate warnings to 
the operators of the system that then go out to the users of 
the cloud if there is an incident. Similarly, you could imagine 
those same kinds of protections being built into a well-
constructed system that is a more traditional system, let us 
say a client server system or another type of computing system.
    So security issues in the cloud in some ways can be built 
very well or not. And the key is to incentivize, and for 
companies like ourselves that are here with you today to 
understand how to build security into solutions that we develop 
for the cloud from the beginning so that customers of ours--
consumers, businesses, and governments--have confidence that 
the solutions that we provide and the solutions that are 
discussed in the context of government to government 
discussions are secure and private.
    The other point I would make, just reiterating what was in 
the testimony, is that the cloud itself can provide for a much 
more rapid response if there is a security incident that comes 
in. If you are in a traditional environment with lots of 
different servers in different places and different people 
worrying about those, and a computer security incident occurs 
in a patch to fix the incident is delivered, it is often 
delivered essentially manually from place to place and person 
to person. With the cloud, you can deliver that patch 
automatically, instantaneously, and the problem is rectified 
immediately.
    Mr. Smith. Okay. Thank you, Mr. Chenok. I am out of time. 
Mr. Castro, I just want to thank you for answering my question 
a minute ago in your opening statement about the threat of 
foreign countries and what our government should do. You were 
very specific. I hope the Administration will listen.
    Thank you, Mr. Chairman.
    Mr. Goodlatte. I thank the gentleman. The gentleman from 
New York, Mr. Nadler, is recognized for 5 minutes.
    Mr. Nadler. I thank the gentleman.
    Mr. Castro, a key guiding principle articulated by several 
company witnesses at one of our prior hearings held in 
September 2010 when I was Chairman of the Constitution 
Subcommittee was the desire for technology neutral or cloud 
neutral, as it has been described today, standards for 
government access to communications under the Electronic 
Communications Privacy Act, ECPA. This would mean that with 
regard to government access to content communications stored in 
the cloud, communications stored in the cloud would be treated 
the same as communications stored locally by a customer.
    If a primary goal for ECPA reform is establishing clear and 
consistent standards, it does seem that this would be 
essential. Do you agree?
    Mr. Castro. I do agree.
    Mr. Nadler. Anybody else agree or disagree on that? 
Everybody agrees that we should have the same standards for 
government access to material stored in the cloud as for 
government access stored on your laptop.
    And, Mr. Holleyman and Mr. Chenok, the principle we are 
discussing, that of cloud or technology neutrality, is a core 
principle of the Digital Due Process coalition. DDP takes the 
position that ``Government access to content and communications 
should require a search warrant issued based on a showing of 
probable cause, regardless of the age of the communications, 
the means or status of their storage, or the provider's access 
or use of the communications in its normal business 
operations.''
    This technology-neutral standard adopts the current 
standard for communication stored by an individual locally for 
the communication stored in the cloud. IBM and BSA are members 
of the Digital Due Process coalition, so I presume your 
companies would support a bill adopting this standard. Would 
you agree with that or comment on it, Mr. Holleyman first.
    Mr. Holleyman. BSA is a member of the Digital Due Process 
coalition, and we support their recommendations.
    Mr. Chenok. And IBM is a member of the Digital Due Process 
coalition and support it, yes.
    Mr. Nadler. So you would agree that the standard should be 
a due process standard, a search warrant based on a showing of 
probable cause, regardless of age. We have in ECPA now these 
different standards based on whether it is longer than 180 days 
or less than 180 days based on assumptions 25 years ago that if 
you had it on your computer or on somebody else's computer for 
more than 180 days, obviously you did not care about it. You 
did not care about your privacy. Does everybody agree that that 
logic is no longer the case?
    Everybody seems to agree?
    Mr. Holleyman. Mr. Nadler, I agree with that logic, and, 
again, we are part of that coalition and support those 
recommendations. I would actually like to follow up with some 
additional detail for the record for your question.
    Mr. Chenok. I would join Mr. Holleyman in following up.
    Mr. Nadler. I thank you. I yield back.
    Mr. Goodlatte. I thank the gentleman. The gentleman from 
Pennsylvania, Mr. Marino, is recognized for 5 minutes.
    Mr. Marino. Thank you, Chairman.
    Good afternoon, gentleman. Thank you for being here. As a 
former prosecutor, I believe that for every action there is an 
equal and opposite reaction. So with that said, we in America, 
we are very good at developing technology, the best in the 
world I think. But nevertheless, we fall short worldwide of 
anticipating the downside of our advancements and our 
technology. And pursuant to our topic today, the clouding 
issue, I am going to ask each of you to take a moment and 
perhaps predict what you see the downside of the technology 
that we are achieving today concerning clouding. Do you 
understand my question? Mr. Holleyman?
    Mr. Holleyman. Look, I think the biggest downside I see is 
that there are going to be a lot of changes in the economy that 
result, as you move to using this new technology, which means 
that the nature of some jobs will change, the nature of how 
information is stored has changed. But as I began with the IDC 
report, there is also a huge value add to the economy, as much 
as a trillion dollars in new growth, not just in technology, 
but across all sectors because of cloud-enabled innovation.
    Mr. Marino. Okay. Mr. Freeman, do you have a comment?
    Mr. Freeman. I think I echo those thoughts. There is going 
to be an economically disruptive effect as the amount of data 
that is available and information about individuals' 
consumption behaviors is magnified exponentially. If there is 
not an alignment of the legal principles and the legal system 
applicable to types of data, regardless of whether they are 
stored in the cloud or locally, I think that is going to pose a 
big challenge and potentially be disruptive to continue cloud 
innovation.
    Mr. Marino. Thank you. Mr. Chenok?
    Mr. Chenok. Thank you, Congressman Marino, for your 
question. I think two points. One, if not implemented well as 
with any technology, cloud can increase issues involved in how 
a technology is placed in a work location or used by a user. So 
the concern would be address cloud's implementation and make 
sure that it is done in a manner that addresses some of the 
issues that we have discussed here today earlier with regard to 
location mandates and open standards to make sure that those 
types of policy choices are built into the implementation. 
Without that, you could get some unintended effects.
    And also misperceptions. Some of us have talked this 
morning about certain beliefs about the cloud that are not 
necessarily true in fact, but color how people come to it and 
color the uptake in terms of use of the cloud. And so thinking 
of fact-based, I think, is very important.
    Mr. Marino. Thank you. Mr. Castro, do you have a thought?
    Mr. Castro. Yes. You know, I think cloud computing 
technology is disruptive businesses and organizations and 
government in very positive ways. But it is also, of course, 
there is a duality to technology, and it can be used for 
negative purposes as well. So just as we see legal businesses 
becoming more productive and doing more with this technology, 
we can also see that taken up by illegal activity to be more 
productive. And obviously that is a very bad thing.
    Mr. Marino. A good segue into my next question concerning 
the illegality of it and the potential of those outside. It 
should not be in a particular area garnering the information, 
penetrating the system. How about our security end of the 
thing, anyone?
    Mr. Holleyman. In a cloud context, you need to look at kind 
of the access controls and how it is secured. I mean, the 
cloud, if configured properly, can be a much more secure 
environment than the highly distributed environment we have 
today where people leave laptops or they leave their thumb 
drive. And so if done properly, the cloud can be a net 
positive.
    Mr. Marino. Well, let us take it a step further, and I am 
going to use an example. Years ago in law enforcement, we 
develop a basic walkie-talkie where law enforcement can 
communicate with one another. But then quickly, there was 
developed a scanner where we could--where the criminals could 
hear that we were coming after them. So how do we prevent that? 
Has that been taking into consideration at this point? I know 
we're anxious to put this all together, but are we thinking of 
the ramifications and the technology that can really counter 
what we intend to do?
    Mr. Chenok. So, Congressman Marino, there are technical 
protections that can be built into data in transit that can be 
established and assigned to the cloud in terms of understanding 
how information is moving and whether there is interception of 
that information while it is moving, and can very quickly spot 
when somebody is trying to penetrate a system or penetrate a 
set of information resources that are moving along, and then 
quickly identify how to resolve that situation.
    And continuing to build those technologies in and designing 
the system properly from the front will help to address those 
types of risks.
    Mr. Marino. And, Mr. Castro, I am going to flip a question 
to you. I am running short of time here. How many entities 
within when I send my e-mail to whoever is receiving it are 
going to have access that information within that cloud?
    Mr. Castro. In theory, you could have just one. You know, 
you could have just the one actual provider, depending on how 
the cloud computing environment is set up. Ideally, you have it 
virtualized in a way that the data is actually segmented in 
ways that other providers that might be offering services would 
not actually have access to your specific data.
    Mr. Marino. I see my time has run out. Thank you, 
gentleman. My daughter is going to be proud of me because I was 
talking about the cloud system today. [Laughter.]
    Thank you. Thank you, Chairman. I yield back.
    Mr. Goodlatte. Does she think most days you have your head 
in the clouds? [Laughter.]
    Like my teenagers did when they were that age? The Chair is 
pleased to recognize the gentlewoman from California, Ms. 
Lofgren, for 5 minutes.
    Ms. Lofgren. Thank you, Mr. Chairman. My apologies for 
being late. I had a competing meeting. But I do think that this 
is a very important discussion. I understand Mr. Nadler raised 
the issue that I have also been working on, the need to update 
ECPA for our current technology times. It has been a long time. 
And there are certainly privacy issues that need to be 
addressed, and certainly some of the assumptions that Americans 
have about the privacy afforded their digital data is not, in 
fact, adhered to under the legal standards. And so that is 
something that I hope to help address as time goes on.
    I am wondering, in terms of as we deploy throughout the 
world, whether there are issues that we also need to address on 
standard setting for interoperability and portability of data 
when it comes to cloud computing, something I have not heard 
discussed at all, and yet I think it is pretty obviously 
something that needs to at least be attended to. Am I mis-
advised to be concerned about that?
    Mr. Freeman. I think that is very correct. I think there 
are two key types of portability that have to be considered. 
The portability of user data, you can rapidly see adverse 
effects if cloud data or user data is stored within a given 
provider, and users of businesses are essentially held hostage 
and unable to extract that data later.
    Ms. Lofgren. That is right.
    Mr. Freeman. The other thing is the portability of 
applications, the services that essentially are the cloud. If a 
government agency or a business is too reliant on a single 
provider's proprietary infrastructure and may find itself 
unable to migrate out to either another provider in the case of 
a service issue or be left without an alternative solution in 
the case of a service failure.
    Ms. Lofgren. I am interested as well--I think some of the 
security issues have been dealt with. But I think there is an 
overlap between, maybe for lack of a better word, security 
issues and interoperability. And I wanted to raise the issue 
of--and I will use the U.S. as an example. We recently took an 
action, we as the United States government, against a site 
alleged to be a big pirate site, Megaupload. But in a way, that 
is also cloud computing. I mean, it is not what we think of in 
the business world, but that is what it is.
    Have you addressed the issue of governments aggressively 
enforcing property rights when it comes to cloud computing that 
then disadvantages other users? We have heard for example that 
why somebody would store their baby pictures on Megaupload, I 
do not know, but apparently some people did. And now their baby 
pictures are going to be toast.
    Have we addressed that issue as a group that thinks about 
it, how we can protect innocent users when there are 
enforcement actions?
    Mr. Holleyman. Ms. Lofgren, I am totally familiar with 
Megaupload case, and I know that there are some pending 
proceedings both at Justice and in the courts, of which I am 
not privy to----
    Ms. Lofgren. Right. I just use that as an example. You do 
not have to talk about that case.
    Mr. Holleyman. Look, I think one of the questions is given 
the scope of some of what I would refer to as just, you know, 
storage facilities, and how to ensure that you have protection 
for the legitimate data that is stored, recognizing that you 
still need tools to be able to deal with the illegitimate data 
that may be stored or the hosting entity.
    And I think it is going to take, you know, a balance of 
laws. What is important, though, is that you still have to have 
tools, both civil and criminal, that allow you to take action--
--
    Ms. Lofgren. Oh, I am not arguing that case. But nobody 
seems to feel any responsibility toward people who are 
completely innocent here. And there is no standards. There 
seems to be no interest or obligation to innocent bystanders to 
this action. I am wondering if there is not something that we 
ought to do to address that issue.
    Mr. Holleyman. Again, I cannot suggest an answer to that. I 
think that is a legitimate question. It is a legitimate 
question you are asking. I mean, we had, as BSA, been engaged 
in a lot of notice and takedown activity with Megaupload, and 
there were certainly some illegal software that was part of 
that.
    Ms. Lofgren. Sure.
    Mr. Holleyman. And there has now been, we both 
independently and obviously through Justice, have had some 
recourse. But I cannot go beyond that to talk about----
    Ms. Lofgren. Well, let us just use it as an example, not 
that----
    Mr. Goodlatte. Without objection, the gentlewoman is 
recognized for an additional minute.
    Ms. Lofgren. Thank you, Mr. Chairman. If any of the 
witnesses have a suggestion on whether we should not have some 
standards so that innocent bystanders, if you will, have some 
recourse and rights, I would be maybe off calendar eager to 
hear them.
    Mr. Freeman. I would like to speak to that, if I may, 
Congresswoman. I think the key is an alignment of existing 
privacy and criminal standards with regards to search and 
access, regardless of the location or the nature of how data is 
stored.
    You highlighted ECPA earlier, and e-mail is treated 
differently when I print it out and put it in my desk than it 
is when it is on my computer than it is when it is on Gmail 
server. That alignment, along with a bit of international 
consistency, I think will solve the problem for both businesses 
and consumer.
    Megaupload is a case that, for example, highlights the use 
of mutual legal assistance treaties to create a coherent and 
enforceable regime. But if those standards are not consistent 
with regards to the data type, regardless of technology, and if 
they are not consistent internationally, there will be a lack 
of transparency and perceived lack of protection for users' 
data.
    Mr. Goodlatte. The time of the gentlewoman has expired.
    Ms. Lofgren. Thank you, Mr. Chairman.
    Mr. Goodlatte. And the Chair will recognize himself for 
questions.
    Mr. Holleyman and Mr. Freeman, what are some of the more 
egregious market access issues that BSA or Rackspace or other 
businesses have found foreign countries engaging in against 
American cloud computing companies in the European Union or in 
countries like Canada, Australia, India, Japan, China? As I 
prepared this question, it seemed to have gotten longer. We 
will start with you, Mr. Holleyman.
    Mr. Holleyman. Mr. Chairman, it is unfortunately an 
increasingly long list, as we pointed out in our report. I will 
give you two countries at opposite ends of the spectrum. China 
has a requirement that you must have a joint venture with a 
Chinese entity to provide a cloud service in China, and there 
is a condition of providing source code in conjunction with 
that. And China is no longer allowing joint ventures, and of 
course companies are rightly resisting any source code 
disclosures. So effectively, you have a great wall that has 
been erected and continuing to be erected that is going to shut 
out companies in the China market.
    On the opposite end of the spectrum, you have the concerns 
I see happening in Germany where German government officials 
are talking about the fact that all German data should be 
stored in Germany, both high sensitive and low sensitive and 
medium sensitive data, not only for the German government, but 
for German citizens. And then you have a marketing campaign by 
Deutsche Telecom, which is effectively a third owned by the 
German government, that is invoking the PATRIOT Act and citing 
the PATRIOT Act as a reason why customers should use Deutsche 
Telecom's hosting services over U.S. providers.
    And so I think those are two ends of the spectrum, and we 
need to address those problems in both countries. And they are 
just an example of what we see elsewhere.
    Mr. Goodlatte. Does Deutsche Telecom still own T-Mobile? Is 
that the relationship there?
    Mr. Holleyman. Well, my understanding is that they still 
do, but I am not the expert on that.
    Mr. Goodlatte. Following up on that very distressing point, 
having worked as hard as I have on the PATRIOT Act, what are 
some of the misconceptions that they are spreading about the 
PATRIOT Act, or data privacy policies in the United States in 
general that would help them steer business to Germany 
companies or other countries that may be doing the same thing?
    Mr. Freeman. I can tell you at Rackspace, we commonly see 
almost occasionally absurd positioning of what the PATRIOT Act 
permits to the extent that it allows almost any U.S. government 
agency to, without notice or warrant, access any private data 
that is on a server contained within the United States. That 
sort of----
    Mr. Goodlatte. Well, that is totally false.
    Mr. Freeman. That sort of fear, uncertainty, and doubt I 
think inform Canada's FOIPA law, which is a good example of a 
protectionist measure that excluded U.S. participation in the 
marketplace. Canada passed a patient privacy bill that 
prohibited the storage of any patient health information on any 
server located in the United States based on this sort of fear 
and uncertainty. Now I think it was more of a protectionist 
measure that has leveraged that type of fear. But our great 
concern is that we see the same types of positioning being 
touted in marketing campaigns such as in Germany and the rest 
of Europe.
    Mr. Goodlatte. So what do you do to counter that? Do you 
have a Rackspace Germany that is a separate entity with your 
cloud computing capabilities there, or what do you do?
    Mr. Freeman. Thank you, Chairman. Even having a subsidiary 
entity these days is being targeted. Essentially, there is an 
approach that anyone who has either a server in the United 
States or is a subsidiary or joint venture with the U.S. 
company is becoming suspect.
    Again, I think these are really pretenses for protectionist 
pressures, and that they are not based on legitimate 
understanding of the legal principles. I think the best way to 
deal with it is through education, and the establishment of 
international standards, and clear statements from the U.S. 
government about how the PATRIOT Act works and how it is 
utilized and implemented.
    I think we all are sort of aware that foreign countries all 
have access in certain circumstances to data for servers that 
are located on their soil.
    Mr. Goodlatte. I would argue most countries have far 
greater access to that data in their countries without the Bill 
of Rights that the United States Constitution provides for 
protection of U.S. citizens that would extend to anybody 
storing their data in the United States.
    So what do you suspect we should do with regard to this in 
the sense that it is a trade issue, that it is a protectionist 
policy? Have any of you approached the U.S. Trade 
Representative to address this issue?
    Mr. Holleyman. Chairman, I will give you a couple of 
answers. One is that the State Department has actually been 
very aggressive in raising this with other countries. 
Ambassador Riviere is leading that effort. There is a new myth 
busters document that State and Justice are working on to try 
to dispel the myths about the PATRIOT Act, and dispel the myth 
that somehow the U.S. has powers here that other countries 
have. And I think there has to be a bilateral, aggressive 
negotiation. And I also think that you see through USTR on 
efforts like the Trans-Pacific Partnership and building new 
trade agreements that deal with issues around cross-border data 
transfers that are related to, but an important complement to 
dispelling these myths about the PATRIOT Act.
    Mr. Goodlatte. Mr. Chenok, as more data moves to the cloud, 
where do you see the future of data analytics? What are some of 
the innovations that we can expect in this new field of 
technology?
    Mr. Chenok. Analytics is----
    Mr. Goodlatte. Put the microphone on again.
    Mr. Chenok. Analytics runs on a parallel track, Mr. 
Chairman, if you will, with the cloud. The cloud enables 
companies of all kinds and governments to understand 
information regardless of where it sits. Through the cloud, you 
can use technology to get to information more effectively and 
efficiently and at less cost. So it enables the type of 
analytics that can be done to really make decisions very 
quickly and rapidly based on data regardless of where it sits 
over an open cloud, without having to establish point to point 
agreements or computer interface exchanges that might take time 
and increase costs to achieve the same level of the data coming 
together to make an analytical decision. So the two are related 
and mutually reinforcing.
    Mr. Goodlatte. Thank you. Those are the questions that I 
have. Since the buzzer for the votes have not gone off yet, I 
will ask the gentleman from Pennsylvania or the gentlewoman 
from California if they have an additional question they would 
like to ask the panel of experts before we dismiss them. The 
gentlewoman from California.
    Ms. Lofgren. Mr. Chairman, thank you for that opportunity. 
There was some testimony on abusive patent litigation. And it 
is something I am concerned about, but I am not sure we have 
got the energy to wade back into patent reform. But I am 
wondering if we could get some suggestions on how the Patent 
Office itself might make that situation a better one.
    Mr. Freeman. Thank you, Congresswoman. I think it is 
difficult to approach it with the current regulatory authority 
of the Patent Office itself. I am reluctant to tell you that I 
have all of the solutions to the problem because it is really 
based on behavior----
    Ms. Lofgren. Well, join the club.
    Mr. Freeman. Yeah. It is really based on the behavior of a 
set of entities who are exploiting a system that works well in 
many cases. And there is no need to throw out the baby with the 
bath water, so to speak, but I think sort of responsive action 
is necessary.
    One area is particularly in regards to the development and 
increasing use of open source cloud software. The patent system 
does not work particularly well when it comes to collaborative 
open source projects because it really did envision more of a 
focus reward and innovation generating system.
    Ms. Lofgren. Well, we did have just recently some further 
discussion on standard setting in the patent system and how we 
might work with that. So, again, I am sorry I was unable to get 
here for all the testimony, but I do think that when you look 
at what, as the Chairman has said, certain countries are doing 
in terms of using tools to block market access, sometimes with 
legitimate concerns honestly about the lack of standards in 
American law. I mean, EPCA is one of them.
    We have a lot of work to do in this area, and I am glad 
that we had this hearing, Mr. Chairman. And I think we will be 
working diligently in the coming months to address some of 
these issues. And I yield back.
    Mr. Goodlatte. I thank the gentlewoman. The gentleman from 
Pennsylvania does not appear to have any additional questions. 
So we will thank our witnesses for their excellent testimony 
today.
    And without objection, all Members will have 5 legislative 
days to submit to the Chair additional written questions for 
the witnesses which we will forward and ask the witnesses to 
respond to as promptly as they can so that their answers may be 
made a part of the record.
    Without objection, all Members will have 5 legislative days 
to submit any additional materials for inclusion in the record.
    And with that, I again thank our witnesses. And the hearing 
is adjourned.
    [Whereupon, at 1:25 p.m., the Subcommittee was adjourned.]


                            A P P E N D I X

                              ----------                              


               Material Submitted for the Hearing Record









                                

      Supplemental Material submitted by Robert W. Holleyman, II, 
 President & Chief Executive Officer, Business Software Alliance (BSA)

















































                               __________
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               
                               


                                








































































                                

  Prepared Statement of William Weber, General Counsel, Cbeyond, Inc.

    Mr. Chairman and members of the Subcommittee, Cbeyond appreciates 
the opportunity to provide a statement for the record for today's 
hearing. Cbeyond provides cloud and communications services to more 
than 62,000 small and medium businesses (SMBs) nationwide; in our most 
established markets including Atlanta, Dallas, Denver and Houston, we 
provide services to more than 15% of all businesses with between 5 and 
250 employees. Our annual revenue is nearly $500 million, and we have 
approximately 2000 employees. Forbes magazine recently named us one of 
America's Most Trusted Companies and--together with Kraft Foods and 
Timberland--we were recently given the Points of Light Corporate 
Engagement Award of Excellence.
    I hope today to give you a brief overview of what cloud computing 
is, why it matters to SMBs, the role that competitive 
telecommunications providers play in advancing the technology and 
barriers that may prevent SMBs from making use of the cloud to create 
jobs and drive innovation.

What Is Cloud Computing?

    Unfortunately, I am old enough to remember the giant computers of 
the 1960's with their punch cards and putty-colored terminals with 
ghostly green type. These machines differed from the computers our 
children grew up with in that their computing power was not in the 
terminals themselves; the computing power was in a mainframe computer 
located in another room or another building. This was why you sometimes 
heard the machines you typed on described as ``dumb terminals.''
    Beginning in the late 70's and moving through the 80's, computing 
power gradually migrated from the network core to the network edge. 
This was the rise of the personal computer, and as competition 
blossomed and prices tumbled, true computing power became available to 
home and small business users for the first time. This democratization 
of computing resources remade our economy and fundamentally changed the 
way many of us work.
    As PCs became ever smarter, faster and cheaper, we began to make 
demands on them that were difficult to achieve without a network. So we 
built a new kind of network. These new networks were fundamentally 
different from the old because now the computing power resided 
primarily at the edges. The networks themselves served to route 
information (like email) from PC to PC and to store information in 
central locations that needed to be accessed by many people 
simultaneously (like databases).
    Soon, though, we discovered a need to return some real computing 
power to the network itself. Let's take a law firm as an example. By 
the mid-90s, law firms got tired of having to buy the same programs for 
all their computers, particularly the programs they used to bill their 
time, store and access important documents and organize their 
calendars. Software makers responded by creating versions of their 
software that could reside on a central server connected to individual 
computers via the Ethernet cables of the law firm network. Now multiple 
attorneys and assistants could access the same central information, 
bills could be generated automatically and the vast document databases 
that made legal work simpler could be shared, searched and accessed by 
dozens of people simultaneously.
    This model worked well, but it had one major drawback: it required 
the law firm to maintain what amounted to a server farm on their 
premises and extensive Information Technology (IT) staff to take care 
of the servers and the internal network. It was also capital intensive 
because the firm had to purchase enough servers to run their enterprise 
software applications and back all those applications up. And, of 
course, they had to buy more resources than they actually needed to 
account for potential growth and be able to respond immediately to 
problems with an individual server; for a law firm--as with any other 
business--downtime would mean lost revenue. And this brings us to what 
people call ``the cloud.''
    So what is the cloud? At a high level it is the movement of server-
based computing power off the premises and onto servers that users 
access in a remote location over a private network or, in many 
instances, over the Internet. You already know about more consumer-
focused, cloud-based services than you may think. Netflix's streaming 
video service is one. Facebook is another. Both these applications 
store vast amounts of information on remote servers somewhere on the 
Internet and deliver that information (and the computing power 
necessary to process it) to you on demand.

Why Do SMBs Care About the Cloud?

    Understanding the basics of cloud computing is important, but it is 
just as important to understand how the businesses in your home 
districts use the cloud. A few examples might look like this:

          A seventeen-location Los Angeles furniture company 
        sending all of its security footage directly to the cloud where 
        they can store it securely and use server processing power to 
        review and search it.

          A major insurance company with its US headquarters in 
        Minnetonka moving its IT test environment to Amazon servers to 
        avoid the capital costs associated with purchasing dozens of 
        servers it will only need several times a year.

          A mid-size law firm with offices in Atlanta, 
        Charlotte and Louisville moving its billing, time-keeping and 
        accounting software to Cbeyond servers so that all of its 
        offices can access the same data at the same time.

          A group of orthopedic surgeons in Denver moving all 
        its patient records to the cloud to avoid the cost of 
        maintaining the servers necessary to store, search and access 
        x-rays and to ensure it meets its HIPPA obligations.

    Why would these businesses want to move these applications and 
information to off-premise servers? There are many reasons, some of 
which are embedded in the examples above. First, getting someone else 
to manage their servers allows an SMB to focus on their business rather 
than their infrastructure. Lawyers want to practice law, doctors want 
to practice medicine, real estate agents want to close deals and 
architects want to design buildings. They don't want to spend time 
taking care of internal IT resources. Cloud computing allows them to 
realize this dream.
    Second, cloud computing allows companies to preserve capital. 
Rather than buying servers that they then have to pay to maintain and 
upgrade, the business can rent only the server capacity it needs for 
the time it needs it. There are no installation cycles and no need for 
extra square footage or additional air conditioning or electrical 
upgrades.
    Third, cloud computing is fundamentally more secure in a variety of 
ways. It is physically more secure because data centers--unlike most 
places of business--are consciously designed to the highest access 
security and fire control standards. Business data is also more secure 
because a server operating in a data center is monitored around the 
clock and potential failures can often be detected and dealt with 
before they occur; this kind of monitoring and response simply cannot 
occur in SMB IT environments. Data in the cloud can be backed up to 
multiple, geographically diverse locations automatically; if there is a 
tornado that destroys a data center in Indianapolis, a business can 
seamlessly and without pause access that data from its duplicate in a 
Denver data center. And, finally, servers in a data center are sitting 
behind the most sophisticated, well-monitored firewalls available, and 
their anti-virus software is constantly updated with no intervention or 
action required by the business; it's all part of the service a 
business buys when it moves its data to the cloud.
    Fourth, cloud computing gives a business IT flexibility in that 
they can grow and shrink their computing resources on-demand, 
preserving both capital and time. If a business needs to test major 
software releases under heavy loads a few times a year, it can simply 
spin up cloud servers, run their tests and then spin them down, saving 
time, saving money and avoiding the cost of infrastructure it has only 
occasional need for.
    Finally, the cloud allows businesses to increase IT velocity. If an 
innovator has an idea, it can be put to the test immediately. No more 
waiting for a server to ship and get installed. This compresses 
planning cycles, keeps our entrepreneurs focused on innovation rather 
than the infrastructure of innovation and allows new ideas to launch at 
the speed of the idea rather than the speed of FedEx.

How Do Competitive Telecommunications Providers Help SMBs Take 
        Advantage of Cloud Computing?

    If my comments thus far make cloud computing sound like the answer 
to many of the problems that SMBs confront as they launch or grow, 
good. Because that's an accurate view: cloud computing helps preserve 
capital, increases security and makes launching or growing a business 
both cheaper and faster. But SMBs need help to make the best use of 
cloud computing, help that can only come from their service providers.
    Unlike the large businesses that first began making use of the 
cloud, SMBs do not have extensive IT resources. They don't know how to 
move the applications that run their business into the cloud, and they 
don't know how to migrate the associated data. In fact, they generally 
don't even know what cloud computing resources they actually need to do 
whatever it is they want to do.
    The large telecommunications and large cloud-only providers do a 
great job serving enterprise businesses with big IT staffs who know 
exactly what they need. The giant telecom companies and cable providers 
also provide high-quality services to the small businesses that need 
basic services like Internet bandwidth, phones and email. But what 
about the sophisticated SMB that wants to use the cloud to preserve 
capital for job creation and innovation? They are in a tough spot: they 
don't have the IT staff to help them with their migration to the cloud, 
and the big cloud providers are not set up to help them get QuickBooks 
and similar enterprise applications up and running in their data 
center. This is where companies like Cbeyond can help.
    Competitive telecommunications providers are the experts in the 
technology needs of SMBs because it's all we do. We have direct sales 
people who introduce businesses to the power of the cloud and personnel 
whose only job is to help businesses choose exactly the resources they 
need for the job at hand. We innovate to serve our small business 
customers by creating cloud offerings tailored specifically to their 
needs, building applications specifically designed to migrate their 
data and providing the kind of personalized support they need to 
succeed. In short, without competitive telecommunications providers, 
most SMBs will simply be shut out of the cloud computing revolution to 
the detriment of our economy, our unemployment rate and our global 
competitiveness.

What Are the Barriers that May Prevent SMBs from Making Use of the 
        Cloud to Create Jobs and Drive Innovation?

    As the Committee well knows, small business is the economic engine 
that drives our economy and creates more jobs than any other sector. 
Small businesses inject almost a trillion dollars into the economy each 
year. They have created more than ninety-three percent of all new jobs 
over the last twenty years and employ more than half of the U.S. 
workforce. They also employ forty-one percent of the nation's high-tech 
workers who generate about thirteen times more patents per employee 
than do workers at large firms. SMBs that want to leverage the cloud to 
launch, grow, innovate and create jobs face two primary obstacles: 
assistance with their migration--which I discussed above--and abundant, 
high-quality bandwidth.
    Cloud services are broadband intensive. Unlike traditional web-
based services in which the heaviest bandwidth usage is downstream-
only, an SMB using QuickBooks or other applications in the cloud is 
sending and receiving large volumes of data in both directions; it 
needs at least 10 megabits per second of private, symmetrical Ethernet 
bandwidth. While this may not sound like a lot in an age when cable 
companies routinely dangle 100 Mbps claims in the market, the key 
adjectives here are ``private'' and ``symmetrical.'' What this means in 
plain language is that an SMB accessing cloud-based enterprise 
applications needs bandwidth that is not shared and has a guaranteed 
upstream speed that is the same as its guaranteed downstream speed.
    Unfortunately, competitive technology providers--the real 
innovators in the cloud for SMBs--are limited by aging rules 
administered by the Federal Communication Commission (FCC) that have 
the perverse effect of locking small businesses into the broadband 
status quo of six years ago, undercutting the normal business cycle of 
innovation and denying our nation's SMBs benefits they should have 
received as broadband technology improved. These rules force 
competitive technology providers to buy the wholesale broadband inputs 
they need to reach their customers in small, 1.5 Mbps increments of 
time-division multiplexed (TDM) bandwidth; TDM technology was invented 
in the 1870s for the telegraph and evolved to its current form in 1962. 
This broadband gap leaves the rollout of the best cloud technologies 
almost exclusively to in the hands of large enterprise customers while 
innovative technology competitors try to serve SMBs, the job growth 
engine of our economy, with inadequate bandwidth resources. And--worst 
of all--SMBs are left using twentieth century business tools to try to 
create jobs in a twenty-first century global marketplace. This is no 
small issue.
    The FCC could fix this problem simply and almost without cost by 
implementing relevant provisions of the Business Broadband Docket which 
have been languishing at the FCC for almost three years: the FCC should 
ensure the survival of a competitive market by requiring the giant 
phone companies to sell--at retail prices--the packet-based bandwidth 
necessary for technology competitors to provide cloud services to SMBs. 
Unleashing this existing broadband capacity for use by technology 
competitors at market-based rates will create an immediate cycle of 
investment, innovation and job creation by allowing our most 
entrepreneurial SMBs to do what they do best: focus on innovation 
rather than infrastructure.
    Mr. Chairman and members of the Subcommittee, I appreciate the 
Committee's interest in this important topic and thank you for the 
opportunity to provide this statement for the record.

                                 
