On Thursday, May 11, 2023, the Federal Trade Commission hosted a panel to discuss questions relating to the cloud computing industry. As we’ve previously covered, the FTC is currently seeking public comment as part of a Request for Information regarding cloud computing business practices. In part, the goal of the panel was to identify issues the FTC should explore in its RFI.
Participating in the panel were Abby Kearns, a tech executive and board member at Stackpath and Lightbend; Frank Nagle, a professor at Harvard Business School; Salil Deshpande, founder of the venture capital firm Uncorrelated Ventures; Frédéric Jenny, professor emeritus at ESSEC Business School; and Steven Weber, professor at the University of California, Berkeley and partner at Breakwater Strategy.
The discussion covered an array of topics, with a significant focus on the state of competition among cloud computing providers. Below, we highlight key points made by the panelists regarding two other topics: data security and artificial intelligence (AI).
In introductory remarks, FTC Chair Lina Khan noted that the FTC is interested in whether concentration compounds data security risks and if additional competition among cloud providers would incentivize firms to compete on providing better data security. Following these remarks, FTC Deputy Chief Technologist Alex Gaynor commented that cloud computing providers’ design choices can contribute to security incidents, noting that their expansive offerings can increase the likelihood of misconfigurations.
The panelists agreed that cloud computing providers are a valuable target for bad actors as a way to steal the most data and cause the most damage, given the potential to access an array of businesses’ data via a breach of their cloud computing provider. Mr. Nagle noted, however, that cloud architecture significantly reduces the potential scope of a breach of a cloud provider.
The panelists were skeptical that increased competition among cloud computing providers would lead them to compete on providing better data security. They agreed that cloud computing providers do not currently compete on cybersecurity and that it is not clear that customers are willing to pay more for cybersecurity improvements. Mr. Nagle noted that cloud computing providers’ investment in cybersecurity could significantly benefit small businesses, which may be less sophisticated or unable to invest heavily in cybersecurity. Mr. Weber argued that big customers of cloud computing providers are well-positioned to negotiate for cloud computing providers to improve their security practices or assume responsibility for security aspects that they currently allot to customers, while Ms. Kearns argued that customers generally are not willing to spend beyond the bare minimum on security and pointed to industry and regulatory requirements as a driver of improved security practices. She also argued that customers bear significant responsibility for their own cybersecurity.
The panel’s final topic concerned AI’s importance within the cloud computing context. Mr. Weber argued that AI is the leading technology shaping both competition and data security in the cloud. Mr. Weber said the goal should be for cloud computing providers to support and facilitate innovation in AI, but that the “instinctual business practices” of cloud computing providers could threaten this goal, as they may be tempted to vertically integrate with AI innovators or otherwise wall them off from competitors. He cited cloud computing providers providing AI developers cloud credits in lieu of traditional investments as a means to tie AI models to their service, which could make it hard for AI companies to unbundle their models from particular cloud computing providers. Mr. Weber said this presents a risk of walled gardens, which he compared to the risk in the 1990s of a fragmented internet. He cited government policy, open source, and underlying protocols as forces that ensured an interconnected web and expressed concern that those forces are not in place in the AI context. Mr. Deshpande noted that these are existing risks that are not specific to AI but that AI exacerbates them.
The FTC is accepting comments on the Request for Information until June 21.