Carnegie’s Research on the Cloud

The ascendancy of cloud services represents the cutting-edge of the digital transformation. It yields significant benefits tied to security, growth, innovation, efficiency, agility, and economies of scale. But it also raises serious concerns, challenges, and risks that would benefit from comprehensive and coherent governance. 

To promote global stability and welfare, Carnegie’s Technology and International Affairs Program has established two, parallel tracks of cloud research, designed to deepen the understanding of and enhance trust in the surety, equitability, and sustainability of cloud services: 

Cloud Governance Project

Risks of major disruption to cloud services will invite regulation by governments at various local, national, and international levels. Moreover, as the cloud’s ubiquity increases, other aspects and implications of the technology – beyond the risks of disruption – will also attract scrutiny and regulation to protect or advance public interests. For example, reliance on foreign cloud providers and the transnational movement of data has led some governments to pursue digital and data sovereignty. The potential of the cloud to turbocharge economic development has raised questions about maximizing its inclusiveness and equitability. The concentration of the cloud market among hyperscale providers may invite the government to play a more active role in supporting cloud infrastructure and domestic cloud markets.  

To avoid rushed, ill-conceived, or counter-productive regulatory approaches to the cloud, concerned players must now conceptualize and then communicate the nature of the challenges involved as well as the interconnections and tradeoffs across issue areas. Such conceptualization can help guide multiple stakeholders in constructive directions and away from undesirable pathways. Indeed, this process should be conducted with multiple stakeholders and its conclusions debated and refined with them.  

Carnegie’s Cloud Governance Project aims to catalyze this process, by (1) offering a comprehensive mapping and assessment of the issues associated with cloud services, and (2) developing a generic model for cloud governance for adaptation and application across settings and global contexts. In doing so, this project aims to promote transparency and cooperation across the cloud’s stakeholders, and promote the development of a coherent global cloud governance structure anchored in a mosaic of complementary arrangements – from legislation and regulation to corporate self-governance, international standards, and norms.

The contours of this approach are beginning to emerge, In Europe, the Gaia-X initiative aims to catalyze innovation by freeing customers from the business and security concerns associated with dependence on a single cloud provider. In the US, the proposed ACCESS Act would stand up a technical committee comprised of technology experts and relevant businesses to achieve similar goals: to balance considerations of market competition and technical feasibility when designing new standards for cloud portability and interoperability. On other issues, like sustainability and lawful government access, cloud providers and major customers are organizing themselves to provide more consistent and fair governance where governments are lagging or conspicuously absent. Our analysis can help inform these initiatives, advancing actionable solutions that maximize the cloud’s benefits while minimizing its risks and negative reverberations. 

Cloud Risk Management Initiative

Carnegie has assembled a working group of cloud providers, insurance experts, and regulators from several countries and U.S. states. Together, we are developing a surety model for cloud services that will include metrics of (un)acceptable failure/down time (segmented by service type) and definitions of what is critical and what resilience and robustness mean in practice. This risk-based model will help inform model regulations and design criteria for the cloud. The working group will create a matrix to assign responsibility for financing recovery from disruptions among cloud providers, consumers, governments, and insurers. Lastly, the working group will help develop a public-private burden-sharing formula to encourage governments to help offset some of the risks and cover the tail-end costs of catastrophic cloud disruptions. 

The aim being to give cloud providers confidence that they can reassure the regulatory and insurance communities that cloud providers have done all they reasonably can to mitigate risks to consumers, insurers and governments. Otherwise, risks could be so daunting that some combination of cloud providers, insurers and governments would either “drop out” before a major disaster occurs, which would deprive societies (and cloud stakeholders) the benefits that the cloud provides, or stay in business but leave others holding the bag for disruption-induced damages.  

Users of cloud services will gain confidence that the quality and risk management of providers are excellent and auditable enough to warrant insurers’ provision of risk capital.  

Insurers will gain more transparency from cloud providers to bolster confidence in insurance risk models, and at the same time recognition by regulators and publics that – as with terrorism, nuclear accidents, and some acts of nature – government will be compelled to step in after private resources have been exhausted and finance recovery from the worst disasters. 

Financial regulators would gain insight and confidence that the risks to third parties (investors and publics) built into insurers’ portfolios are tolerable. Governments more broadly would see our model as a basis for identifying where a reasonable line should be drawn between the risk that private enterprise (including alternative capital markets) should bear and the risk that government should be willing to take on in order to enable a socially valuable service like the Cloud to continue to operate. 

Previous Research, Commentary, and Engagement