Brad Smith

During a visit to Washington, D.C., this morning, Brad Smith, Microsoft's general counsel, asked the U.S. government to overhaul its laws to make cloud computing more secure and private, and to make it easier for cloud-computing providers and law enforcement officials to track down and prosecute online attackers.

Speaking at the Brookings Institution Policy Forum (transcript here), and writing in the Huffington Post, Smith said the U.S. should lead efforts to make international laws related to online services more consistent. He also called on cloud computing providers to adopt "truth in cloud computing" principles to give people "full knowledge of how their information will be accessed and used by service providers and how it will be stored online."

Microsoft is one of the big players in the industry, recently launching its Azure cloud computing platform in competition with Google, Amazon and others. As an example of the issues faced by the cloud-computing industry, Smith cited the online attack that prompted Google to say it would no longer censor its search results in China.

Speaking with Smith via phone after his speech, I started by pointing out that a vulnerability in Microsoft's Internet Explorer contributed to that attack. I asked whether the responsibility for cloud-computing security rests more with the government or with industry. Read on for his response, and for other excerpts from our conversation.

Smith: I think the real point I was underscoring this morning is that when it comes to security, the industry is the front line of defense. We in industry need to be vigilant. We need to continue to improve our security on a daily basis. That is going to remain a fact of life for the rest of all of our lives. Nothing the government does or can do will ever change that. At the same time, we need government to take new steps, as well. As I said when I was speaking this morning, if you live in a city, you want to have a strong door and a strong lock. You also want to have an effective police force and clear laws that are well-enforced.

The same is true for cloud computing. Just as the industry needs to move forward, we need Congress to take new steps, as well. There are areas where the law is unclear or where there are gaps. We need Congress to fill them. There are areas where law enforcement is going to need new technology and is going to need to coordinate more closely. We need those kinds of steps, as well. This isn't an either-or proposition. We really need industry and government to both move forward, and we're going to need more coordination between industry and government, as well.

Q: You raised some interesting scenarios in your speech of companies being caught in a Catch 22: complying with laws related to cloud computing in one country, and as a result violating laws in another country. Has Microsoft run into cases like that?

Smith: We definitely have encountered legal issues that have the potential to become Catch-22 situations. Happily, to date, we've been able to engage in discussions with prosecutors or other government officials, and we've found ways to resolve them. But these are definitely a looming set of challenges. ... This is a train wreck waiting to happen for companies in this business unless we get better international coordination among government.

Q: I'd be remiss if I had you on the phone and didn't ask you this. What is your take on the situation in China currently with Google, and does Microsoft plan to follow Google's lead there?

Well, I just had a general comment about the importance of free expression on the Internet in my talk this morning. We recognize that there will come a time when we'll want to say a bit more, it will be important to say a bit more about these issues, but today is not the day, today is the day we really wanted to focus on issues here in the United States, and the need and opportunity for new action by industry and by the U.S. government.

Q: Given that, what would be your biggest priority out of the agenda that you outlined this morning?

Smith: I really tried to highlight three things. No. 1, we need clarity under the law about privacy, so that consumers and businesses will continue to enjoy strong privacy protection for their information when it is stored in the cloud. No. 2, we need additional steps in the security area so that we will continue to have strong laws that are enforced in an effective way. No. 3, we need the U.S. government to play a leadership role in addressing the international sovereignty issues that increasingly are becoming obstacles to cloud computing on a global scale. Those are three focused sets of recommendations. We think it's the type of area that Congress and the administration could move forward quickly to address.

Q: What does Microsoft plan to do?

Smith: We're obviously focused on addressing all of these areas in our own business. We're focused on being clear and concrete with consumers and businesses in the privacy area. We're focused on taking steps to improve security. We're engaged in discussions with governments around the world to try to ensure that cloud computing advances quickly and successfully not only for ourselves but for our entire industry.

More broadly, this morning was about starting a new conversation with people in government and across the industry about the need for action by the U.S. government. It was a day to start a conversation, it certainly wasn't the last word, but judging from the reaction from others in the industry and from here in Washington, D.C., I was very encouraged by the positive reception that these ideas had, and I'm very optimistic that we'll all go forward and not only talk about these ideas but do more about them. Specifically I'm hopeful that we'll see Congress start to do something.