There are many reasons why law enforcement has been slow to embrace the cloud—from general reluctance to deploy new technologies to procurement policies that make purchasing cloud services more difficult.
A new joint study of the IBM Center for The Business of Government and the IJIS Institute entitled, Mitigating Risks in the Application of Cloud Computing in Law Enforcement, examines some of these roadblocks and recommends steps to reduce law enforcement’s cloud anxiety.
The study, using a survey of 37 law enforcement respondents, asks key questions about their overall views on the user-friendliness of cloud-based technology for law enforcement missions (i.e. fighting crime) and drills down on what matters most to law enforcement looking to make cloud investments.
For instance, the survey reported that, when deciding whether to purchase cloud technology, law enforcement cares most about (1) cost efficiency and (2) security.
Providing security is the #1 mission of law enforcement, so it is not surprising that this concern would factor into an agency’s cloud procurement. The survey further reveals specific security concerns about whether using cloud technology for mission-critical applications could cause a decrease in real-time access to data and/or erode reliability. These concerns are understandable given that in an emergency situation, these factors impact whether lives are lost.
Also, budgets for law enforcement agencies around the country are being slashed—making cost efficiency increasingly more important. A 2010 International Association of Chiefs of Police (IACP) study/survey found that “over 85% of agencies…were forced to reduce their budget over the last year with nearly half of agencies surveyed reported that they had to lay-off or furlough staff in the past 12 months.” This means for law enforcement in 2013, every dollar counts.
The study goes further to recommend a few steps that agencies can take to help ease these cost concerns such as looking to existing software providers to see if they can offer cloud computing services (without costs of conversion to a new provider such as data migration) or partnering with other law enforcement agencies to acquire cloud services—leading to greater economies of scale.
On the security side, the report recommends that law enforcement agencies develop detailed service level agreements—ones that require guarantees (and associated penalties) for cloud providers that fail to provide an agency with their desired level of accessibility and reliability. This could help law enforcement embrace the cloud but still sleep at night.
Another noteworthy result of the report deals with the FBI’s CJIS (Criminal Justice Information Service) rules that regulate the security practices (including IT practices) of law enforcement agencies with access to the FBI’s criminal history database.
When respondents were asked:
“Do you think the FBI CJIS Security Policy 5.0 provides appropriate security levels to support the use of cloud computing for CJIS services in your agency?”
Only 33 percent answered yes and 55 percent did not know. Some wrote that 5.0 completely prohibited cloud computing.
If you recall, early this year, the FBI responded to this very question, emphasizing that while law enforcement agencies do indeed have to comply with CJIS security rules when acquiring cloud services—nothing in CJIS security rules prohibits law enforcement from using cloud technology.
So where does the confusion come from?
In December 2011, the City of Los Angeles cancelled its transition to the cloud because it struggled to make its cloud service compatible with current CJIS security rules. At that time, LAPD declared “CJIS regulations are currently incompatible with cloud computing.” This caused fear in a lot of agencies, and sent the message that embracing the cloud may be an overly difficult transition.
Remedying this and addressing law enforcement’s concern over cloud technology is important. That’s why on January 31, 2013, SafeGov.org and IACP will be partnering to host a conference to discuss these very issues. The conference, which will be held in Washington, D.C., will include FBI representatives to help dissect the CJIS security requirements and perspectives from law enforcement officials wrestling with cloud decisions. For more information about the conference and the agenda, you can go to www.lawenforcementinthecloud.com
There may be many reasons why law enforcement has been slow to embrace the cloud—however, with some creativity and better dialogue between the FBI and law enforcement agencies, there does not have to be.
Richard Falkenrath is the former New York City Police Department Deputy Commissioner for Counterterrorism (2006-2010) and Deputy Homeland Security Advisor to the President (2002-2004). He is currently a principal at The Chertoff Group, a global security advisory firm, which advises clients on cybersecurity including cloud computing.