Policy Proposals Industrial Technology U.S.- Japan Cloud Computing Working Group Report
I. Overview of U.S. Japan Cloud Computing Working Group
During the third meeting of the "U.S.-Japan Internet Economy Dialogue" held in March 2012, there was agreement to establish a U.S.-Japan government working group for the purpose of discussing policy issues related to cloud computing and of incorporating the views of the U.S. and Japanese business communities.
At the U.S.-Japan Summit meeting of April 2012, the two governments affirmed that they would continue with this dialogue with a focus on securing an open Internet, safeguarding the free flow of communication and network security, expanding e-government, and protecting the well-being of children on the Internet.
Cloud computing services are inherently global, and it is imperative that the United States and Japan as two leading nations in this field cooperate in the development of this important new technology. The United States and Japan need to deal proactively to solve problems related to cloud computing based on their respective strengths. Additionally, through promoting the development of the global ICT industry, the two governments will also contribute to national and regional growth and to the nurturing of a new framework for cloud services through driving the development of the global information and communications technology (ICT) industry.
The United States and Japan account for over 30 percent of the global economy. Japanese business is known for its innovation and high quality of its products, while U.S. business has a dynamic entrepreneurial culture and industrial base. Together, the two countries have a unique opportunity to work together in creating a new global economic model based on the Internet and cloud services.
Based on this perspective, Keidanren and the ACCJ established a U.S.-Japan Cloud Computing Working Group to nurture the right environment for cloud computing and identify issues related to its promotion for submission to the two governments at the fourth US-Japan Cooperation Dialogue in October.
2. The Importance of Cloud Computing
Cloud computing involves a new way of utilizing computer networks. With cloud computing, data services and Internet technologies are hosted on a large number of networked servers (the "cloud") and users need access only the services they need whenever and wherever they want to without necessarily processing or storing data on his/her own computer.
(2) Technical Features of the Cloud and their Significance
The distinguishing characteristics of cloud computing are efficiency, agility, innovation, and scalability. Together, these reduce costs, use computing resources more efficiently, and make possible changes in work and lifestyles, e.g. working remotely.
For example, cloud computing enables resource-short entrepreneurs, small businesses and developing countries to access information and communication technology (ICT) infrastructure at low cost and as needed. As a result, the benefits of cloud computing are not limited to just the ICT sector. The "cloud" is an important platform for the growth of all industries. And, for those organizations that deploy it effectively, cloud computing is a key tool for success in an increasingly competitive international environment. Additionally, since cloud computing offers services from large, remote data centers, it helps mitigate the risks associated with natural disasters and cyber attacks.
(3) Government Utilization
There are concerns regarding the storage of sensitive national security and other data on remote servers. Yet, for the vast majority of data, the location of the data is not an issue as long as appropriate security measures are in place. We believe that the active use of cloud computing by governments for data storage both overseas and at remote domestic sites (except for very sensitive national security data) can help mitigate private user concerns with the "cloud" and promote greater reliance on cloud computing.
Cloud computing can be very effective in improving the efficiency of government service delivery and supporting business process engineering (BPR). However, governments have tended to develop and employ ICT systems independently in each ministry or agency resulting in a great deal of functional duplication and unnecessary cost. Further, integration between central government cloud services and those of local administrations has been lacking. Since many of these systems were built to handle peak demand, expensive ICT resources are also not being efficiently used in non-peak periods. For these reasons, we are urging the governments of the United States and Japan to promote and expand E-government through cloud computing.
3. Need for a Global Approach
As seen in the many bilateral FTAs and in the multilateral TPP process, the globalization of economic activities is blurring the concept of national economic boundaries. Since it easily provides services beyond borders, cloud computing is an essential business tool in such an environment. Yet, given the differing legal frameworks in each country, steps to promote harmonization of these systems is essential while maintaining a balance between the differing requirements of cloud services directed to enterprises and to consumers. At the same time, since many users are not familiar with foreign regulations, which may differ from practices in the United States and Japan, accurate information on foreign legal system requirements is necessary to create an environment wherein users can benefit from cloud services without undue concern or additional expense.
As economic activity becomes more global, we are seeing new efforts in the EU to strengthen personal data protection regulations and to apply these to businesses outside of the EU. Since the protection of personal data is central to creating new industries through the provision of innovative services to users, there is the risk that excessive protection could stifle businesses, slow the deployment of new business solutions and create a large compliance burden. While the United States has a "safe-harbor" agreement with the EU, many Asian countries including Japan do not giving the inaccurate impression that personal data is not adequately protected in these countries. As a result, businesses in Asia fear the imposition of stringent data protection requirements on data services that are offered in Europe -- a development that would dramatically raise the cost of doing business there for them.
APEC is playing a larger and larger role in supporting regional and global economic growth. The US and Japanese governments should take the lead in creating an environment allowing the free flow of cloud data services in and out of the Asia Pacific region. This includes the creation of a common basis to support the widespread use of cloud services in APEC member economies and the establishing of practical and effective common rules between APEC member economies, including the United States and Japan, with the EU, for the protection of personal data at minimal cost to business. This ambitious goal will require time to achieve a reasonable balance between the need for strong protection of data and the flexibility and efficient access that business requires for cross-border transfers of data.
4. Current U.S. and Japanese Perspectives on Cloud Computing
(1) Japanese Perspectives
In July 2012, the Japanese government announced a new strategy for "renewing" Japan, entitled "Strategy for Japanese Renewal: Opening New Frontiers and Building a Country based on Cooperation and Creativity." The renewal strategy centers on projects in four areas: the environment, personal life, agriculture and small business.
The report underlines that the sharing of information is critical for Japan in working cooperatively and creatively with different economic sectors and with foreign countries. For that reason, expectations are high in Japan regarding the contributions to come from cloud computing. Unfortunately, outside of a few specialized sectors and some of the largest enterprises, the utilization of cloud computing in Japan is still inadequate -- and the four areas cited are not an exception.
On the other hand, there is a clear trend in Japan signaling a move towards realizing the vision of a "smart city" and to the strengthening of social infrastructure through greater use of cloud technologies. The reasons why ICT and cloud computing are insufficiently utilized in Japan are essentially not technical but are rooted in the society and economy, particularly in the areas of regulation, institutional practices and the mindset of people in certain sectors of the economy. Even as Japan works to address these issues domestically, cooperation between Japan and the United States in solving these challenges is also necessary.
In creating citizen-centered administrative services, national and local governments in Japan should proactively adopt a cloud computing service model. But in doing so it is essential that administrative agencies also pay attention to BPR. The national government also should encourage the use of cloud services in areas it delegates to other levels of administration. The role of the government chief information officer (CIO) in promoting a comprehensive approach to E-government is essential if effective results from these efforts are to be expected.
In the private sector, special attention needs to be given to promoting the use of cloud services by small businesses. Cloud services are effective in helping small businesses deal with resource challenges. Further, by reducing the startup costs of new business, cloud computing contributes to local economic growth.
The same is true in other areas such as healthcare, education and agriculture. Cloud computing supports the gathering and sharing of information, the provision of high value-added services and the development of new markets. The response to the March 11 Great East Japan Earthquake and Tsunami highlights how the cloud could have been better used to shore up data protection and business continuity.
(2) The U.S. Perspective
The U.S. government has identified the promotion of cloud technology and services as a key national priority. In recent years, the government has issued a number of plans for developing the infrastructure needed for reliable and secure cloud service. It has also taken steps to make government data ("big data") more easily accessed through its "digital government strategy" with the goal of encouraging new businesses and services that can package and deliver information to industry and consumers.
Protecting individual privacy is a key concern for government and industry in the United States. Currently, there is a proposal by the Obama Administration to strengthen the legal framework for safeguarding privacy through steps to improve transparency, enhance individual control over personal data, ensure limits are put in place on purposes for which data can be used and provide stronger accountability.
Cyber security is another priority. Attention is being placed on creating a broadly coordinated response to cyber incidents, strengthening public-private partnerships to find technology-based solutions, taking measures to identify threats and to secure critical infrastructure, such as the electrical grid, and on supporting campaigns to build greater public awareness and facilitate compliance with good security practices.
Digital content is a key driver for the utilization of cloud services. Current efforts seek to define a balance between the rights of content owners and the interests of consumers. Additionally, there is a debate on the extent to which Internet service providers should take responsibility for piracy and infringement of copyright, design, or trademarks.
Government and industry are investing in greater utilization of the cloud in healthcare, education, public safety and in energy management. There are significant government incentives available to hospitals and physicians for the use of electronic health records as part of the 2009 economic stimulus plan. The University Community Next Generation Innovation Project (Gig. U)#1 is directed at increasing the capacity of local area networks as platforms for cloud computing services with the goal of promoting university research and education, medical services, and support for small business. A national cloud-based emergency communications network to deal with natural disasters from fires to tornados was also recently launched, and regulatory changes are now allowing consumers to use the cloud to directly monitor their energy usage.
1 Gig.U: The University Community Next Generation Innovation Project (http://www.gig-u.org/)
There is a general recognition in the United States of the economic benefits of government policies designed to promote greater access and utilization of cloud technologies. The ICT sector of the U.S. economy, reflecting strong industry and consumer interest in cloud services, grew three times faster than the overall economy in 2011. New venture capital funding for Internet-related services doubled between 2009 and 2011, and, the so-called "App Economy," created by the introduction of the "smartphone," has created 500,000 new jobs in the United States since 2009.
II. Challenges to Achieving the Full Potential of Cloud Computing
1. U.S.-Japan Cooperation in Building a Framework for the Internet
(1) Internet Governance
The future development of the Internet depends on the preservation of an open and transparent environment. A strictly top-down approach by governments in promoting the Internet will not work. There is a need to incorporate a broad range of voices and interests from business, the tech community, users and others. The continued growth of the Internet hinges on a multi-stakeholder process centered around openness and transparency.
There is a great deal of discussion taking place in international institutions regarding the future regulation of the Internet. If excessive international regulations are applied to the Internet, there is a danger that these actions could stifle the private innovation that has driven so much economic growth in this sector.
(2) Creating an Internationally Harmonized Framework for Cloud Computing
In order to promote the further innovation thorough the development of cloud services and provide the end user with the best experience, the building of an internationally harmonized framework is essential. As a basic principle, direct and indirect regulation of cloud computing should be kept to the absolute minimum. To guarantee cloud computing's continuing development, efforts to build free, fair and transparent markets are vital. It is fundamental that national cloud markets, data centers and access to the Internet are open and that any cloud policies and regulations are transparent. In promoting cloud services, an environment that assures fair competition based on equal treatment of local and outside service providers is very important. U.S.-Japan collaboration in this area should be a model for other countries.
2. Cloud Computing Capacity Building and Bridging the Digital Divide
ICT is a "general purpose technology" that supports and is essential for many sectors of the economy. There are great expectations for its role in driving growth. There are many people in the developing world that cannot enjoy fully the advantages coming from the deployment of ICT. This is producing a "digital divide." Yet, in the case of cloud computing, the initial investment is limited and the operational costs low thus opening the door to providing the benefits of ICT more fully in the developing world. The United States and Japan should strengthen their support for economic growth in the developing world by funding more assistance in the deployment and utilization of ICT that relies on cloud computing. Such a policy can further raise the profile of U.S.-Japan cooperation in the developing world and through the sharing of best practices in cloud computing help solve Third-World social problems.
In this way, cloud computing will allow developing countries to get access to the same level of hardware and software resources as found in the industrialized world. But one challenge that needs to be addressed is the state of the network infrastructure. Solving this will require deployment of interfaces that can deal with gaps in network capability so that the developing world can be truly linked with one another as well as advanced countries.
3. Policy Issues
From the perspective of users, the protection of privacy is often raised as a major point of concern in evaluating cloud services for consumers, businesses and ultimately governments. Together with security, privacy is an important policy objective since it is key to engendering consumer "trust" in the cloud. Given the enormous societal benefit that can be achieved by tapping cloud-based technologies and services, and considering the vast amounts of cross-border data transfers needed to achieve the same, the government's role is to maintain the necessary balance between protecting user privacy and ensuring the free flow of information to support business and innovation.
Over three decades ago, the need for this balance was emphasized in the OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data #2 (the "Guidelines"), which became the leading basis for international and domestic legal frameworks for data transfers throughout the world. The advancement of cloud-based technologies since then and the emergence of data as the core component for innovation in the digital environment only serve to reinforce the importance of such frameworks. Achieving the proper balance requires a pragmatic approach that evaluates the effectiveness of legal rules versus market-based initiatives in ensuring protection of user privacy in the processing of data and promotes the adoption of security measures that are appropriate to the complexity of the task.
The proper direction for the U.S. and Japanese governments is to focus on ensuring the effectiveness of existing laws not on adding new regulatory requirements, unless after due consideration they decide that it is appropriate to do so. The two governments should stay in close communication with the private sector on all of the following: initiatives towards developing a more transparent and consistent regulatory process with clear lines of accountability; an inclusive framework for public comment and involvement in rule-making if any; provisions for timely and efficient dispute settlement through established procedures; and the engagement of other national and international bodies to ensure that rule-making elsewhere does not disadvantage or unfairly burden our companies in offering cloud services across borders.
In order to support continued growth in cloud services, it is critical that regulatory frameworks are not overly burdensome or excessively prescriptive, and that they do not unnecessarily increase compliance costs and other financial risks for cloud services providers. In this connection, there is a need for a discussion as to whether "cloud services" is a legally meaningful category that warrants a separate and different regulatory framework. Going down this path risks higher compliance costs that could stifle innovation without significantly enhancing user privacy and data security
Business communities in Japan and the United States are also concerned with the possible impact on their cloud services business from the EU's recent proposal to change its data protection system. We understand that the European Commission is preparing to introduce a comprehensive reform of its 1995 data protection directives, with the new regulatory framework set to take effect in the coming years. This would reportedly place all of Europe under a single data protection regulation. While we fully support the efforts to create a consistent Europe-wide regulatory framework, we are concerned that definitions for such fundamental terms as "private data" and "data leakage" have yet to be set, making corporate engagement on the draft difficult. There is also concern that these new rules may increase compliance costs, reduce profits, and impact the launch of innovative services. This ultimately could hamper competitiveness and growth in and out of the EU. One specific example is the blurring of the roles of data controllers and data processors. This creates uncertainty and does not support the harmonization goals of the reform or deal adequately with the complexities of cloud computing.
In counterpoint to these developments in Europe, we support the further evolution of the APEC Cross Border Privacy Rules adopted last year at APEC. These rules are directed at creating a framework for regional cooperation in enforcing national privacy laws and facilitating information sharing. The APEC rules also set a consistent baseline for data protection practices for companies doing business in the APEC economies. In July 2012, the U.S. Federal Trade Commission (FTC) became the first enforcement authority within the new system.
The build-out and operation of global cloud computing infrastructure is a significant investment. Many cloud services providers today operate globally distributed services, which are best used in an environment where regulatory frameworks are globally interoperable and harmonized to the greatest extent possible. APEC and the EU are now discussing how "interoperability" might be achieved between the new APEC framework and contemplated European rule changes. We urge the U.S. and Japanese governments to press for early progress in these talks so that business and consumers of cloud services can have certainty and consistency with respect to what the expectations for privacy are globally. Progress here will also help to address the regulatory challenge of enforcement across national borders and lead to concrete steps toward establishing a model for global interoperability among privacy regimes.
(2) Information Security
Information security strategies for cloud computing need to protect the information received from users (consumers, businesses, and the cloud service providers that they connect with) and to preserve the integrity and security of the system that supports the services. In the case of cloud offerings deployed as a "service" on a network, most of the security resources are committed to protecting the network -- given its scale. Yet, for cloud operators, "information" security is also essential, since it is basic to maintaining the "trust" of users. For this reason, operators try to achieve the best mix of resources in line with costs to carry out a security policy directed to sustaining user trust.
Given the many diverse cloud services, users should have a range of information security choice, which assure differing levels of security based on cost. Of course, consumers need to be apprised of the appropriate security level for the type of cloud service they have selected. User protection and the development of a healthy cloud services industry require transparency about appropriate security levels, since from a technical perspective protecting information security on the cloud can involve issues that are qualitatively different from earlier security concerns related to use of the Internet.
In the case of cloud services, computing resources are concentrated in the server. Consequently, efforts to make servers more resilient (including through shoring up the capacity to restore and recover data) are very important. Cloud computing provides a unified computing environment and centralized management. This is often perceived as a positive aspect from an information security management standpoint. Yet, these advantages can also magnify the potential impact of a cyber attack.
Although in terms of computer processing power and data storage the role of the users' terminal equipment is tremendously reduced in the context of cloud services, the importance of security at this level is not diminished. The proliferation of devices beyond the personal computer (PC) such as smartphones and tablets afford multiple vulnerabilities to cyber attacks, making an appropriate response increasingly more difficult.
In the United States and Japan, awareness of information security issues is stronger when compared with the past and there are ongoing efforts to deal with the fundamental threat -- although these are not yet sufficient. However, both the newly industrializing countries and developing nations remain vulnerable to cyber disruptions and more must be done to build awareness and to encourage them to take fundamentally different approaches to information security.
In particular, since many security issues develop across national borders, there is a need to respond to the changing nature of these security challenges through a cooperative framework that crosses national jurisdictions. The complementary backgrounds and experience of the United States and Japan, including a relative familiarity with cloud-computing environments, can be leveraged to contribute to a better understanding of these issues in Asia and the world.
Safeguarding information security is a very important issue in developing a healthy market for the growth of cloud services. Dealing with organized and sophisticated cyber crimes and attacks requires an approach that can both stop and mitigate the impact of such incidents. Responding to this threat is not something that can be done by the private sector or by the U.S. and Japanese governments acting solely through their respective legal and law enforcement efforts. What is needed is a strengthening of cooperation on cyber security between the United States and Japan and a partnership between government and industry. We urge the two governments to give priority attention to this area. Areas for collaboration might include development of advanced technologies, strengthened internal and external communications channels, quick response and recovery procedures, and desktop exercises for evaluation of information security readiness ? as well as changes to the structure of administrative operations and greater education and awareness-building among users.
These and other practical initiatives should be discussed by experts in both countries. The United States and Japan should share best practices and establish a framework for coordination in dealing with threats to cloud computing. As the scope of this coordination expands, it will be possible to increase the sophistication of information security strategies in the cloud computing area. This will be significant not only in the U.S.-Japan context but also globally.
(3) Digital Content
The cloud protects the security of digital content and allows the user to safely access a diverse range of digital content and use it in a variety of ways. With the advance of the cloud, providers have launched a range of new services using digital content. As a result, users are able to enjoy interesting content services to an extent not possible in the past.
The cloud continues to play a larger and larger role with respect to the distribution and use of content. It affords the user an environment for enjoying and sharing content while also serving as a platform for deploying the technology necessary for appropriately guarding digital content rights. As a result, the cloud has accelerated trends toward the use of digital content in a variety of ways.
For example, "private content locker" services permit the user to securely, easily and quickly move content among a number of personal devices. This kind of digital content service is an important driver for future growth and innovation on the Internet. However, such a service also has to balance the need to appropriately protect content while meeting user expectations with regard to ease of use.
If digital content is to be distributed smoothly and truly energize the market, additional measures beyond providing appropriate security for content may be needed. Areas for attention include increasing the degree of latitude given services providers, (e.g. through clarifying the scope of their responsibilities), and securing an environment where users can safely and freely enjoy content (e.g. through appropriate changes to the copyright law and steps to facilitate the licensing of content). Additionally, steps to boost incentives for content providers to create and distribute digital content are essential. Efforts to harmonize the legal systems of the United States and Japan and to improve infrastructure are also important. The United States and Japan are in the position to take the lead in improving the business environment in the area of digital content. Our success will serve as a guide and example to other countries.
The fear of vendor lock-in is often cited as a major impediment to cloud services adoption. Many cloud users will stay with a vendor who may no longer meet their needs because of the complexity of moving data to another service provider. When a user's data is transferred from one vendor's cloud environment to another's, it is often necessary to first move the data back to the user's site and then transfer it to the new vendor's environment. If there is incompatibility between the former service provider and the new one, there is the risk that the structure of a user's data might be damaged as part of the transfer process.
Basically, what users require is the capability to use data and applications freely without worrying about differences in the way that information systems, cloud computing, legacy IT or some combination of these are structured. The user's interest is in producing innovation, not in the mechanics of how it is done. That is why interoperability among various cloud products and services is so important.
If users are to choose cloud computing with confidence and in order to promote the greater use of cloud services, it is essential that cloud SLA (service level agreements) be transparent and that security levels be established in line with service-based pricing. There is also a need for greater interoperability in order to avoid user issues arising from excessively "closed" vendor cloud services. Moves to enhance interoperability should include steps to forge stronger linkages among different cloud services and efforts to better align data formats and data management processes. However, any measures require careful attention so they do not result in new obstacles to innovation.
Free competition among cloud service providers should be encouraged. At the same time, however, closer alignment among cloud services is also desirable in the interest of securing interoperability. The reason is that among the key merits of the cloud is the capability of different systems to share information. There is a consequently a need for further consideration as to which areas might be more closely aligned. One example from Japan is the discussion regarding the "my number" proposal and the issue of whether a "corporate number" ID system should be introduced. Considering the global nature of corporate activities, if such a system were harmonized internationally, its value would be greatly increased.
Since cloud services vary from one provider to another arriving at similar technical standards is not easy. Ensuring data portability to allow users to move data between cloud vendors and cloud services is another important way to achieve cloud interoperability. Data and application interoperability can also be enabled with the use of published application programming interfaces (API) as well as other interfaces.
The cloud eco system is continuously producing new "players" and providing new market opportunities. That is why, in some circles, cloud computing is thought to be quite different from what might be called "normal" computing operations. There is also the view that cloud computing lies outside the rules that are widely applied to the Internet. Yet, it is not realistic to argue that the transfer of data within the cloud is substantially different from the exchange of data on the Internet. Cloud computing is not something that is fundamentally new or threatening and for that reason we do not believe that there is the need for a special regulatory framework for cloud computing.
Interoperability will stimulate greater competition among vendors and provide greater choice to users. This can be realized through the development and use of appropriate interoperability standards, APIs and interfaces. However, it is important that we do not force a single approach to providing cloud services or neglect the perspective of the end user (including interfaces in the native language) in order to promote continued innovation and greater utilization of the cloud.
(5) Updating Legal and Policy Frameworks for Cloud Computing
From the standpoint of industry, facilitating the expansion of cloud services will require clarification of the scope of responsibility for service providers and increased efforts to provide both convenience and data protection for users. Further, as the use of cloud computing grows, attention must also be given to the potential damages incurred by users in cases where cross-border transfers are not possible.
Due to these special technical characteristics, there are many aspects of the existing legal framework that are not well understood by users and this can make the decision to move to the cloud difficult in some cases. It is clear that increased transparency and clarity regarding existing law, which was not crafted with cloud computing in mind, are closely connected to the greater use of cloud services.
For example, when data containing advanced technical information is transmitted from a domestic location to a data center outside the country, the transmission might be treated as the transfer of technical information to an outside country and be subject to restrictions over the transfer of certain advanced technical information abroad due to national security requirements. At issue are what kind of controls are to be put on cloud services and whether such controls will be applied uniformly or on a case by cases basis. Based on the purposes for which information is to be used or on the contractual details of a service, clarification of the way in which restrictions will be applied in this area would greatly accelerate the development of cloud services.
Additionally, local governments in Japan have provisions in their law (the Connection Ordinance) prohibiting the linking of their internal computing systems with outside computing sources. While the restrictions in the ordinance are gradually being relaxed or eliminated, it is still cited by some potential end users as an obstacle to cloud adoption. Meanwhile, in the United States, a recent International Data Corporation (IDC) study#3 found that the major obstacles to faster cloud adoption among local government were lack of awareness of the benefits from cloud computing and adequate budget to migrate to the cloud. These issues need attention from national governments in the United States and Japan.
Additionally, national ministries in Japan charged with overseeing industry sectors ranging from health care to agriculture to transport should give due consideration to the availability of cloud services in promulgating new guidelines related to their areas of responsibility. The Digital Government Strategy,#4 issued in May 2012, is an effort by the U.S. President to promote the adoption of cloud services by U.S. agencies and the policy is being coordinated by the U.S. CIO.
We urge both governments to continue their discussions on cloud computing while considering the voice and experience of the private sector. We also recommend that governments make revisions to current law and reform existing practices in collaboration with industry with the goal of further promoting the adoption of cloud services.
(6) Other Issues
For cloud services to further expand, cloud computing must be a service that customers can use with confidence, that is offered under attractive service conditions and meets expectations with regard to price and quality. Issues, such as privacy, information security, digital content, interoperability and domestic and legal policy frameworks have been discussed above. Below we enumerate a number of concerns that do not fit clearly into the above areas:
One issue has to do with problems associated with the "continuity" of cloud services over time. Service providers have developed BCP to deal with risks associated with events such as natural disasters and are taking further steps to improve them through Business Continuity Management (BCM) strategies. As a result, there are expectations by customers for providers to be able to demonstrate the reliability of their services in emergency situations. There are similar sets of expectations with regard to Service Level Agreements (SLAs), where clarification is needed as to the level of privacy and information security and the scope of responsibility of cloud service providers. U.S. and Japanese industry should take the lead in developing benchmarks in this area and work to harmonize these with third countries.
A second issue is the challenge of further developing human and technical resources in the cloud computing area. There is a requirement for service providers to keep abreast of the latest developments in cloud computing and to employ personnel with the skills to support a cloud system. Cloud services are rapidly becoming a basic part of social infrastructure and, consequently, personnel training and continued technical development is essential so that users do not that no special technical expertise required to us cloud services for businesses. The private sector and universities can take the lead in this area, but governments should also provide appropriate assistance and we urge the U.S. and Japanese governments to continue to show initiative in this area.
A third challenge involves the promotion of "open government" ("big data"). Business opportunities that entail the mining and evaluation of data in order to produce new "value" require as a first step the availability of information, since absent this it is difficult to produce new value-added products or services. Developing an extensive database requires a considerable amount of investment, making the entry of new firms difficult. However, once there is access to a substantial amount of data, "good ideas" for utilizing this data can be generated that have real social and economic merit. Additionally, if data can be brought together from a number of different sectors, there can emerge services that heretofore had not been imagined. We strongly favor increased efforts to realize truly "open government." Both administrations have substantial amounts of data, which can be utilized in ways that will accelerate the development of cloud businesses.
A fourth area of concern is the need to develop internationally harmonized rules with regard to how data gathered from end users can be used by U.S. and Japanese industry so as not to undermine the potential of cloud services while at the same time addressing the legitimate privacy and security interests of end users. Industry needs to know what is permitted and what is restricted with regard to the handling of "big data" as well as personal data and data that falls under telecommunications secrecy rules.
III. Action Plan and Recommendations
The Internet is changing the way that people live and work. Similarly, cloud computing is changing the way that business is done and services that rely on the Internet are delivered. Until just a short while ago, organizations relied on their own IT systems, but with cloud computing it is now possible for users to access only the services they need when they need them. As a result, organizations can now shift investment away from building and maintaining an IT system to operations that are central to their business. We welcome cooperation between the U.S. and Japanese governments so that the benefits of cloud computing can be realized to the fullest extent possible.
1. Preserving an Open and Transparent Internet
An open and transparent Internet supports the development of cloud computing. What makes this possible is not government administration from the center, but a bottom-up multi-stakeholder governance process. The future growth of cloud computing globally depends importantly on a vibrant multi-stakeholder process and strong efforts to encourage openness and transparency and a fair and competitive environment on the Internet.
There are currently discussions ongoing in a number of international forums regarding the future of the Internet. The U.S. and Japanese government and private sectors should use every opportunity to participate fully in these discussions to ensure the continuance of an open and transparent Internet.
2. Internationally Harmonized Cross-Border Data Transfer Rules
There are currently a number of efforts to regulate cross-border transactions with the state goal of protecting domestic or regional economic activities. As a result, cloud service providers may be subject to overly complicated procedures in transferring data abroad. These restrictions could not only reduce the usefulness of cloud services, but also raise prices and impact unfavorably on the value of the service to the user. The U.S. and Japanese governments need to show leadership in taking steps to harmonize their own legal frameworks for data protection and those of third countries to create an environment allowing for the free flow of data across borders. These steps must be consistent as well with requirements for the security and privacy of individual data. Additionally, since in many cases the legal framework being applied was not developed with cloud computing in mind, there is an issue of how best to apply existing law to the new reality of cloud services. This is a challenge for many potential users of cloud services.
U.S.- Japan Recommendation
A. Government and industry in the United States and Japan should follow carefully the ongoing efforts within APEC to develop cross-border transactions and within the EU with regard to new privacy regulations. While respecting the overall direction of EU policy on strengthening privacy, we urge that EU reforms be harmonized internationally.
U.S.- Japan Recommendation
B. For users to deploy cloud services with confidence, there is a need to clarify the application of existing laws to the cloud-computing environment.
3. Cooperation between the U.S. and Japanese CIOs
The U.S. and Japanese business communities are now meeting periodically to discuss issues related to the Internet, such as cloud computing, numerical IDs, security and development of high-level IT talent. As necessary, the business communities should use the results of this dialogue to make recommendations to the two governments on measures to be taken. We believe that it is especially important for the two governments to work together in creating truly efficient E-government models that will promote the streamlining of administrative services in local regions and globally. In this context, it is important to make progress on such key issues as numerical IDs and digital administrative records. We urge the U.S. and Japanese CIOs to work together in in responding to these needs with the goal of better harmonizing approaches in the United States and Japan.
U.S.- Japan Recommendation
We urge the U.S. and Japanese CIOs in their planning and implementation of IT policy to stay in close contact with industry through periodic meetings and other channels.
4. Realizing a Secure Internet Environment
Copyright violations, counterfeiting, piracy and "harmful content" on the Internet cause great societal and economic damage. We urge the U.S. and Japanese governments to share "best practices" in dealing with these challenges and to work toward developing an international consensus in dealing with them. As technology moves forward, new services will appear and be used in ways outside our current experience. In step with this, there needs to be increasing harmonization of national systems so that innovation will not be slowed. It is important that the U.S. and Japanese governments work in close consultation with civil society to build an Internet environment that is secure and understand that changes and revisions to existing framework need to be made continuously.
The U.S. and Japanese governments together with the private sectors should create a forum, which will meet regularly to discuss newly emerging and future threats and can make possible quick and effective action against these threats.
5. Promoting a Global Cloud Business
The increasing use of cloud computing in areas like business and entertainment has the potential of strongly influencing the everyday lives of people. Because this is a global phenomenon, it is vital that the United States and Japan work together in developing a secure foundation for cross-border cloud services and develop a similar framework with third countries. The Asia-Pacific region represents over half of global GDP and is an important driver of global economic growth. For this reason, the United States and Japan should work together in pursuing a cooperative framework for cloud services in Asia, with the objective to encourage its diffusion to areas outside Asia, such as Europe and other third country partners. The private sectors of both countries have strong expectations as to the role of the U.S. and Japanese governments in cooperating and working together to realize this vision.
For newly industrializing countries to fully utilize the cloud, they need to comprehensively pursue infrastructure deployment, administrative reforms and the development of human resources. The U.S. and Japanese governments need to assist these countries and especially their public institutions to carry out this role.
The U.S. and Japanese business communities in this joint document are calling on the two governments based on their respective strengths to deal proactively with the various issues discussed in this paper and through their leadership of the global ICT industry contribute to national and regional growth and build a new international framework supportive of cloud computing. We also urge continuing attention to the areas of joint concern taken up in our March 2012 Joint Statement announced at the Third Meeting of the U.S.-Japan Internet Economy.