I saw this excellent article by Paul Strassman (writing a guest post for Larry Dignan) at ZDNet. I admit, though- I did not know that government officials– in this case, the Department of Defense– use Gmail for their government correspondence. Holy cow!
Federal Chief Information Officer Vivek Kundra has been a consistent advocate of increasing the government’s use of commercially available technologies, such as Gmail. In fact, as the District of Columbia’s chief technology officer, Kundra implemented Google Apps, including Gmail, for all District employees.
A number of Department of Defense (DoD) organizations are already using Gmail. Meanwhile, Google has made secure Gmail the default choice in light of the cyberattack the company detailed on Tuesday.
…Once you can wiretap, you can eventually figure out how to distinguish Gmail traffic from other traffic, and reverse engineer how Gmail data is replicated across servers.
There is no defense against a hostile party with full physical access to your server room. That is why Google’s only logical option is to withdraw all physical servers from China.
There are two Google data centers in China, almost surely co-hosted on shared facilities and not owned by Google. Similarly, there is a co-hosted facility in Russia. Unless a facility is owned and operated by Google it would be always suspect, and even then it would not qualify to operate DoD classified mail.
DoD should therefore not consider Gmail as a viable option because it cannot be trusted. Only a secure DoD Private Cloud, isolated from the Internet, can be seen as an acceptable option.
It’s a contentious issue- the comments on the post are filled with such incredulity as I express. And an update to the post was issued later today, when Google spokesman spoke out:
The premise of Mr. Strassman’s post is without merit: there’s no need to withdraw servers that store Gmail information from China because there aren’t any there.
I think Mr. Strassman’s post IS merited… because while Mr. Strassman does mention the recent cyberattack on Google’s Gmail as an impetus for moving DoD mail away from Gmail, the premise IS that the DoD, and truly all government offices, should have their own secure email system outside of the “cloud” maintained by global business. It’s just good sense. It blows my mind that the DoD has email with Gmail! Doesn’t the government have their own system?! It mirrors the same bafflement that I have regarding the SSL issues with online banking websites– their security is pitiable, whereas my photo-sharing account is tighter than a drum. Crazy!
January 14, 2010 at 4:15 pm
Never fails to astound me the risks they take. Are they oblivious?
January 17, 2010 at 1:34 pm
Wow! I’d never think someone would use Gmail for official correspondence. However, it does seem like they just want to promote use of technology including Gmail, not just rely on it solely. Still not a wise idea but the intentions are understandable.