The week before Labor Day tends to be a slow one for news and maybe that’s why an opinion piece in the New York Times by Vivek Kundra caught my attention. In his brief essay he deplored those who stood in the way of progress and IT efficiency he wanted to introduce into the business of running the government under the aegis of cloud computing.

Vivek Kundra made history when he became the first CIO for the US government Now that he has left the job for greener salaries in a MIT Think Tank, he is kicking dust in the face of the colleagues he worked with, or should we say, those he railed against? It was no secret among the vendors who sold solutions to government entities that Vivek Kundra’s cloud push went over like a lead balloon. He was stonewalled at every turn and the cover story was no security and privacy in the cloud.

Kundra is big picture kind of guy and I won’t argue with his premise. Cloud is the way things are going to go and it is happening faster than we think. But let’s not forget where we are standing right now—in the mire. A lot of what we have in government and in private industry is so established that it would be too disruptive and expensive to throw it on a smart phone with a browser front end to an amorphous cloud. If Kundra had a fatal flaw, it was that he was not operational when it came to systems engineering and people management. It is a blind side not limited to CIO’s. They have vision, but they trip up on the nitty gritty of how to make it work.

Vivek Kundra, in his brief tenure as US CIO, could have used more ambassadors and diplomats for technology on his team who understood security. His cloud ultimatum did not take into account the inertia of established systems and patterns of human behavior. He saw the morass of government information systems and decided to throw it all out. Good for him. But he didn’t last long in the job of CIO, another hazard of being in the leadership class.

To be successful today, IT leaders need more than vision; they must be change agents who can work with systems and people. Because it is Labor Day in a year when unemployment numbers are higher than they have been since 1980’s, let's not forget that cloud computing is part of the continuum of office automation. Office automation had its antecedents in factory automation--doing jobs faster and better with machines. The people who did those jobs did not have work as a result of factory automation. In this day and age of Cloud Computing, there will be new jobs (especially for those who are think tank material) but it's not going to happen in sync with the loss of work and it is not going to be pretty.

Do we need a government cloud? Yes. We also need an education cloud, a healthcare cloud and a secure, regulated and transparent banking cloud. Being able to share computing resources via cloud services is the next logical step toward global commerce and it will be the springboard for the next round of innovation. In the blink of an eye, a new technology will unravel today’s efficiencies and we will be involved revolutionary change that never really took a breather.

If Leon Trotsky were alive today he would be amazed to find that the “permanent revolution principle” he predicted was necessary for social progress in the industrial age was being fueled by something called cloud computing and social networking in the first decade of the new millennium. Those who have been involved with the business of managing information on a large scale are acutely aware of how fast and disruptive the continuing pace of innovation has been for the organizations we work for. But you don’t have to be philosopher to appreciate how new technology continues to powerfully transform the way we live and work. Just ask the Egyptians, who will be the first to tell you how their use of Facebook was nothing short of revolutionary.

If you remember the Robbie Burns poem, "To a Louse", you will recall his famous words, "O wad some power the gifte gie us to see oursels as ithers see us!" He was ridiculing a woman in church who was putting on airs, unaware that there were lice in her bonnet. How do I get from a Scottish poet's observation about human nature, to the conclusion that America is a louse, other than to note that bed bugs are on the rise in New York?

I continue to be struck by the fact that American technology companies are perceived by the rest of the world as invaders of indigenous cultures. Whether it is Google's search engine in China, or Russian hackers like BadB, who ran one of the most significant cyber crime networks in the world, the whiff of nationalism is unmistakable.

Globalism, a megatrend which the Internet makes possible, exposes our vulnerable underbelly. That fact that any country can have a global business via the internet, means economic nationalism has become a force to be reckoned with. The technology segment of American industry needs a lesson in diplomacy.

In the case of Google vs. China, the fact that the Chinese want to spy on political dissidents is secondary to their avowed strategy, which is to keep the lucrative search business in the hands of the Chinese. When it comes to Russian cyber crime, hackers are openly recruiting agents with the call to help them fight American Imperialism.

I don't have an answer yet, for how American technology providers can or should respond to the fact the rest of the world considers us as steamrollers of our national identity. But perhaps if we could see ourselves as others see us, we could make a few less blunders.

Since when is a Google search evidence of malfeasance? Someone on HP's board is on a power trip, when they feel they can hold a CEO's Google searches as evidence. The whole matter of Mark Hurd, a former marketing contractor and the HP board is rife with fetid intrigue. And anyone who has served on boards knows how easily this can happen. Too many cooks....

Not that I have any inside information, but at face value, a claim of sexual harassment by a former reality TV star, should be relegated to the low priority pile. The fact that celebrity lawyer, Gloria Allred, has been retained on behalf of the former contractor, Jodie Fisher, is what elevated the charge to one that could not be swept under the carpet. When the big lawyers get involved, you know they have real dirt.

The whole exchange of claims and counter claims who said what to the board when reminds me of a bunch of adolescents who are engaged in prurient gossip under the guise of fact finding. Stuck in the middle of a WSJ article on Hurd's exit was the statement that board members reviewed the Google searches made by Mark Hurd. They found that he googled Jodie Fisher and saw racy videos she posted. Next they are going to find out that they were friends on FaceBook.


WWDD? What would Dell Do?

However, both the accused and accuser assert there was no sexual misconduct, so why did the mere assertion of impropriety cause the ouster of the CEO? Could it be just accounting irregularity with an expense report to the tune of $20,000 which Mark Hurd paid back? Listen up, HP Board members, you need a reality check. Take a look at last week's business news about another CEO, Michael Dell. The SEC fined Dell Computers $100 million dollars because Dell (and his CFO) took money from Intel and misled investors about the profitability of the company. But Mr. Dell is still at the helm. Surely his financial duplicity would have been cause for an ouster, if he had had HP's board of directors.

The magnitude of Hurd's $20,000 financial impropriety is ludicrous by comparison. Who on the HP board was doing the math? They were way too busy being outraged. Since when is acting on rage a good business practice?

Perhaps Mark Hurd was out of line, but in MHO, HP's board not only went over the edge, they jumped off a cliff. I would feel sorry for Mark Hurd and his public embarrassment, but a $35 million severance pay should make the hurt go away with time. But seriously, you have to wonder about a Board who feels that Google searches are evidence of a smoking gun.

Terry Childs, the former San Francisco network administrator who refused to give up the city passwords to his superiors, continues to pay a high price for his act of defiance. For two years, Terry Childs has been in custody for this and his motion for a retrial has been over-ruled. I continue to ask myself, "where were the level heads when this thing went down?"

Something really went wrong in this case. I can understand that he distrusted his immediate managers, but who in their right mind would have advised him to hold the City of San Francisco network hostage for 12 days to the tune of hundreds of thousand's of dollars?

For Terry Childs' sake, I hope there is another side of this story that we have not heard, yet. If he just went crazy and no one could get through to him and that is all there was to it, then the sooner we forget this incident, the better. But why couldn't a mediator with common sense have prevailed and spared the city of Francisco, and the IT community and Terry Childs all this agony?

The Privacy Quagmire--Google Stepped in it

While I applaud the fact that Google pushes the envelope and is charting its own course, its Street View project hit a landmine in Germany today. Germany opened a criminal investigation into what kind of data from Wi-Fi hotspots Google collected as part of their application development effort. What started out as an official audit of Google’s compliance with Germany’s data privacy laws, turned into a cover-up scandal.

The missing hard drive
The German official auditing a Street View device noticed the hard drive was missing. When the official asked to inspect the hard drive, Google refused to provide it. Although Google has stated that they will be willing to destroy the data, they have not surrendered the drive, yet. One of the conclusions that I draw from this is that revealing the information on the drive would not only be incendiary, it could convict Google in a European court of law.

Socially inappropriate networking
Google continues to demonstrate a naiveté about the political and social implications of new technology and I wonder how a company that has a mantra, “Do no harm,” sets its priorities. Take their stand against censorship in China, for example. It will cost them market share in the long run, but with their stock price where it is, who cares? They did a little grandstanding against China, and to tell you the truth, I admire them for that. I feel that Google “gets” the fact that they will not be the only search engine in the world.

On the other hand, what we all found out as a result of the China stand is that Google is increasingly perceived as an agent of American colonialism by other countries. The German lawsuit over data privacy is a modern day version of the” ugly American.” We charge into every culture, assuming that our way is the best, and we inadvertently trample norms and values that have been in place for centuries.

Clueless in Hamburg
To return to the Street View vs. personal privacy debate, Google has been clueless about the implications of what it is doing. I get the impression that all projects at Google get a green light under the brainstorming principle—don’t shoot anything down, let’s try it first and then decide. That is perilously close to let’s make up the rules as we go along, when it comes to a corporation with the resources to video every street in the world. Who knows what the ultimate uses and value of Street View will be? Google is collecting Wi-Fi hot spot names and MAC addresses with an eye to sell location based advertising. But having the data on Wi-Fi hotspots all over the world might be the real commercial value of Street View. Be that as it may, it is as if the privacy violations were not even considered in Google’s project development plan. And withholding the hard disk from authorities is like waving a red flag in the face of a bull. The litigation hasn’t even started yet.

The Black Market for Stolen Data and the ROI for Security Spending

Much ink is spilled on how IT should come up with an ROI for security spending. No answer to this question is simple, but have you looked at your accounts receivables lately? Once you set a price on what your data is worth and how much you will sell it for, you have a value you could be using in any calculation of what a loss of data due to software vulnerability could be worth.

Let me explain. Corporate data is bought and sold all the time, legitimately.It is born with a value that the seller assigns it when it goes out to the marketplace. Take a credit card company, for example. It sells demographic information about card holders, along with addresses or emails to other businesses. I used to be able to tell when my name on junk mail came from a Sears database, because only Sears uses a particular misspelling of my first name (Have you ever tried to spell “Priscilla” for a non-English speaking person or to someone who has never heard of Elvis Presley?)

Just the Facts, M ‘am
Why am I having a “eureka” moment about the value of corporate data? Because there is an IT problem that won't go away--how do we communicate the value of a security spend to non-technical business management? Part of the problem is that certain research organizations in our industry famously distribute exaggerated projections of what a data breach could cost a business. Some monetary loss estimates are really out there which makes them almost counter-productive when used as an argument as a cost justification for buying security products or services. When IT goes to business and says: "We can save billions of dollars by spending a few million on security”, the business guy is going to say: “I am from Missouri, show me.” Or as the FBI would say, “Just the facts, M ‘am.

Tipping Point & the Zero Day Initiative
Thanks to Tipping Point, who has created a program called the Zero Day Initiative, the good guys have accumulated some benchmarks on what certain kinds of data would be worth on the black market. Tipping Point will be happy to sell you this data, of course. The Zero Day Initiative is a simple and well thought-out program that pays developers cash incentives to find and report software vulnerabilities to Tipping Point (and only Tipping Point). In fact, the more flaws you report, the more you earn from Tipping Point. For its part, Tipping Point liaises with the software publisher to create a fix which is distributed to users in a timely manner. Those who subscribe to Tipping Point’s IPS services get an IPS filter to protect them until a patch from the original vendor is available. The typical turnaround time for vulnerability reporting to fix is two weeks.

The Black Market Value of Stolen Data & a Credible ROI
This is great stuff, but how do we get from vulnerability fixes to a passable return on investment argument that can be used in a business presentation? David Endler, Sr. director of security research for Tipping Point and the chairman and founder of the Zero Day Initiative, gives us this guidance. He recently commented on the value of the data that Google lost to China-based hackers on the black market. He carefully stated the value of the data that was stolen (not the worth) was about $20,000; he estimated that on the black market, it would sell for $30,000-$40,000 dollars. Endler derived the black market value from the corporate value and expressed a formulation for the value of lost data. Stolen data on the black market costs typically 30-50% more than the data would be sold for legitimately.

Do the Math
Whether you get your industry benchmarks from security experts like Tipping Point or the FBI, why not use the black market value of data in your ROI? By adding 30% to an accounts receivable line item, you will have a value that would work conservatively in an ROI that justifies security spending. Isn’t this more credible than trying to put the total cost of ownership into an ROI argument? Even if you value your data conservatively, the number you come up with may be enough to legitimize spending on a security measure that would keep your data from being sold by someone else. Tell me I'm wrong.

Don't Let Your Children Grow Up to Be Cowboys
The firing of the Bob Maley, State of Pennsylvania’s CISO, allegedly because he spoke at RSA about an exploit that he and his team discovered, tracked and remedied, is chilling. There may have been other issues behind the firing, there always are (we call it politics), but it illustrates the extent to which cyber security reality is bumping into the naiveté of non-technical business management.

In this instance, the threat was past tense and what the team learned in the process was invaluable not only to the group in Pennsylvania, but to those who participated in the session at RSA. Security professionals today come up against a barrage of information from auditing or performance reports and logs that track everything that passes in and out of the firewall. Sorting out significant activity form normal traffic is an art form in and of itself--more computer séance than computer science.

Transparently Not in Pennsylvania
The case in point that Bob Maley shared was about an exploit in the Pennsylvania Drivers Licensing System. He and his team noticed the registration system for the exams was getting thousands of hits coming out of Russia. They real story was how they solved the puzzle and determined it was not state secrets the hacker was after, but a place at the head of the class. The owner of a Philadelphia driving school was using a proxy server to exploit a bug in the system which allowed him to schedule exams for his students. Normally, the waiting time to take an exam could be six weeks.

Security Breaches Raise Security Awareness
In my book, Bob Maley is more of an IT hero than a scapegoat. He has been out after dark and is not a newbie when it comes to dealing with the criminals or dealing with the press (not that the two professions have anything in common with each other). He is a former police officer and he has also been the cover story in SC Magazine about how he responded to a data breach in 2007 that compromised half a million state records. His first hand reporting of what a breach looks like and how to go about solving it with the cooperation of local authorities is not only relevant; but also, it raises the awareness of everyone about how easily data can be manipulated and misused. Nothing teaches security awareness better than a security breach.

So what went wrong with Bob Maley’s career? If he did not get clearance to speak at RSA, that is his own fault. However, I find it hard to believe someone with police training would not understand chain of command. I wouldn’t be surprised to find out that the problem had more to do with someone in a position of authority not understanding what a proxy server was, or how sinister the nature of cyber crime has become. We need to raise the level of awareness of cyber crime, not sweep it under the rug. It is a sorry state of affairs when those who lead successful security programs are viewed a paranoid control freaks, business roadblocks or public relations liabilities.

An IT Tells All Audio Book
If Bob Maley is taking a break between jobs, I hope he hooks up with a good writer and makes a bestseller out of the State of Pennsylvania fiasco. I would suggest the same thing to Terry Childs, the former network manager of San Francisco, who was still in jail awaiting trial, last I heard. His crime was
to withhold the network administrative password from someone with a nitwit's understanding of network operational security.

Google vs. China: China Already Won

Who is greater than Google? China is. Why would a multi-national corporation like Google not adapt to the laws and social mores of a country within whose borders it operates? It is a question worth asking, as we await the outcome of the Google/China negotiations over what Google calls censorship. China does not consider this a battle over censorship. They consider this a war of independence for their nation and their national interests. In certain respects, the Chinese are having a Tea Party moment.

More than just Censorship
The history of Americans abroad is littered with stories that demonstrate our naiveté and the cultural blunders caused by blind allegiance to the American way. We all had to read The Ugly American at some point in our education , which poignantly drives home the picture of the image of Americans behaving badly in southeast Asia.

So if Google wants to accuse China of censorship, that may make everyone on this continent feel better, but it is not the same argument that China is making. China is motivated by its own sense of nationhood. It wants to solidify the business advantage that home grown search engines, like Baidu, have in China. One of the most important facts underlying the Google China standoff is the economic reality that Google only has 30% of the search engine market in China. If Google is not growing that %, then it is losing ground and it is only a matter of time before Google loses its foothold in Chinese commerce altogether.

Frontal attack on Intellectual Property
Google is in a delicate position in China, because its own employees apparently collaborated with the other side. Chinese hackers may have been aided in their deep penetration of 30 + American based businesses, especially those companies who dominate the technology marketplace, by employees and former employees of Google.

Furthermore, Google is in the unenviable position of having to accuse the Chinese government of attacks on its intellectual property. IMHO, Google is hanging in with the negotiations with China, but is probably willing to return to China’s censorship rules, if they get some concessions from the Chinese government about the cyber attacks. Google would like to see China taking action against the cyber-attackers, or cracking down on the military efforts of the Chinese government to support those hackers.

Intellectual property is an American concept
I am not taking sides, I am observing the forces at work. Google’s core philosophy is that its search engine should be the online interface to online resources. China, on the other hand, may be manifesting the philosophy that searching is an invaluable tool, a means to an end-- not the exclusive property of one corporation. Search engines are about making the world library of information available to all. And why shouldn't Chinese information searchs benefit those who live and work in China? Those of you who have lived abroad may have observed that what American based software publishers call “software piracy” is a not viewed as a crime. The concept of intellectual property is a cultural disconnect, at least in China. It doesn’t translate well into the nation state mentality of many cultures that operate in other parts of the world. I see Google’s posturing in China as Custer’s Last Stand. American business, under the guise of Google is about to get a lesson in cultural relativity.

Google--Benign Dictator or Maverick?

There are many in my circle who are quick to point out that Google is headed for world domination and that would not be a good thing. My logical brain accepts this as fact. But I must confess, who wouldn’t have a soft spot in their heart for Google, upon reading they have set up a web application for Chileans to ask for and receive information about their loved ones who are lost or missing as a result of the 8.8 earthquake? And I do respect Google for staying mostly on the high road in response to the efforts of China-based hackers to grab information on Chinese dissidents.

Taking the High Road

As I go down this road of thinking that Google governance is consistently that of a world citizen, I have to remind myself that not only some of my friends, but the rest of the world does not see Google that way. Google’s economic dominance of the online search advertising business (over 70% of the market for search advertising) has become synonymous with American financial interests. Countries like Iran and China want to own the revenues from the search engine business within their borders and see Google’s reach as American colonialism of the first order. And the role of American financial firms in destabilizing governments in other countries by selling them hokey financial services products only adds fuel to the fire of the anti-American business sentiment.

Google Goodie Two Shoes

So where does my admiration of Google come from? I must admit to a certain amount of Schadenfreude that Microsoft is currently on the losing end of anything. However, I think it comes from my respect for the fact that Google is writing their own game plan. If any modern organization has demonstrated a sense of collective corporate ethics, you could make the case for Google. Witness their recent protestations that Microsoft is the proxy funding the anti-trust law suits against Google at home and abroad. To me it is quixotic that Google would call out a competitor like Microsoft for using legal shenanigans to make trouble for Googleopoly. However, in the war for public opinion, it might make a difference to claim that Microsoft is cheating, and it re-enforces the Google brand as an Honest Abe.

Taking the Law Road

The trouble with benign dictators is that they tend to believe their own propaganda. World opinion is fickle, but law suits and the rulings of the European Union are all about money. I hope Google proves me wrong about its being a benevolent dictator and takes a page from the Microsoft handbook. They need to get legal, go on the offensive and get their hands dirty in court. Apple, Microsoft, SONY and even XEROX are getting into the patent litigation game. This first spate of law suits could well be the beginning of the end of Google’s dominance.

No doubt about it, Google is an original and comes up with some surprisingly un-corporate moves. What’s not to like about a Maverick? But it is time for Google to beware. Mavericks tend to get cut off from herd when the wolves attack. Unfortunately for Google, the wolves are at the door. There is a battle brewing, not just in America, but around the world for economic stability. To all my friends who fear the Googleopoly, I say “Relax.” To paraphrase Mark Twain, “ I have seen a lot of trouble in my life, but most of it never happened.”

Funny how I can’t stop talking about Google these days. I guess because, as a company, it has not yet become a “ship of fools.” The allegory of lunatics bundled together on one ship crisscrossing the vast ocean without a captain or a pilot has a rich history in literature and art, as a simple Google search will demonstrate. In modern day terms, I think "ship of fools" describes the way I feel about many of the organizations and institutions we have come to view as “too big to fail.” The problem is--I am a passenger on this boat.

Pursuing this metaphor (possibly into the ground), let's say the ocean is the Internet, which no one really steers. Google has provided us with some pretty good maps, but those on the boat think reading a map and sailing a boat follows like the night the day. If you have ever attempted to hoist a large sail, with a bunch of people who do not know which way the wind is blowing, you will quickly get my point.

E-Books ratify the old rules of publishing

The e-book skirmishing between Amazon and MacMillan where Amazon protested about McMillan’s agency pricing was a minor episode in the ongoing drama of how much the online world has changed the rules. Amazon was not fighting about saving their costs—they were paying Macmillan the same wholesale price with either scheme. They were not really trying to save the customer money, even though $9.95 for books on Amazon’s Kindle sounds better than $12.95-$14.95 on the iPad, which in and of itself costs a pretty penny. They were seeking to retain their dominant position in bookselling in an online world they pioneered.

The big story at all the consumer electronics shows is that a world of electronic reading devices will soon be on everyone’s shopping list. E-book reading devices will probably be as omnipresent in our lives as television was in the in the last decades of the 20th century. So publishers and booksellers have another way to distribute content—what else is new?

Google is new. Google gets it, and they are ready to catch the wind when conditions are right. Meanwhile, publishers, booksellers and hardware manufacturers are loving the friendly point of sale combination of iPad and content and Amazon kindle and content. I think this generation of reading devices will be boat anchors all too soon. I don’t want to pay a lot of money for books and have them stuck on a proprietary device that I can’t reference or loan to someone. Or resell in the used book marketplace. Talk about wasting paper towels, someone will no doubt come up with a way to preserve the shelf life of e-books.

Google Editions is a more seaworthy boat

Google could be the one that makes all that happen. They are positioning themselves via their search engine, to make their online library available to your personal repository and vice –versa. Throw in blogs, videos, movies, and anything else that can be digitally rendered—it will be as easily done as I inserted the reproduction of the Hieronymous Bosch painting of the Ship of Fools as an image in this blog. I did not ask the permission of the Lourve to reproduce it, and I hope they don't come after me for museum admission fees.

Google is staying the course for now. With e-books, they will diplomatically go along with the existing channels, publishers, royalties, agency fees. But with Google Editions, we are in uncharted waters. Google wants to provide a search engine for out of print books it has scanned, and eBooks that it publishes directly. The courts will mess around with this one, and starving authors will protest too much, but the genie is out of the bottle. If you can upload your thoughts to the world as quickly as your mind can think them by hitting the enter key, how can a publisher put themselves between you and the reading world and charge you both for the privilege?