City of Los Angeles Raises Security Concerns over Google Cloud Contract
Google's contract to provide cloud-based applications to the city of Los Angeles hit a snag this week, after the city expressed concerns over the security of Google's offerings.
Google has failed to satisfy the security requirements of some of the city's agencies, city officials contend. Specifically, according to an Aug. 17 letter from L.A. Information Technology Agency General Manager Randi Levin, the project's lead contractor, Computer Sciences Corp., has not met the security specifications of some of the city's more sensitive departments, such as the L.A. Police Department. CSC was supposed to have met the Criminal Justice Information Systems (CJIS) requirements as spelled out by the U.S. Department of Justice (DoJ), the letter said.
The letter surfaced via Consumer Watchdog, an advocacy group. Consumer Watchdog is known for its Proposition 103 work in California that regulates car insurance rates in the state while also legally compelling resident drivers with incomes above a certain level to buy coverage from insurance companies. Consumer Watchdog has a privacy campaign specifically targeting Google's business practices and has called for Google to be broken up by regulatory agencies (PDF).
On Tuesday, Consumer Watchdog sent a letter (PDF) to L.A. Mayor Antonio Villaraigosa asking for the city to "fully disclose immediately the extent to which Google has failed to comply with its contractual obligations."
In December 2009, Levin had explained that the city planned to move "all 30,000 city employees to Google Apps from our existing [Novell] GroupWise email system," according to a Google blog post. She noted then that "everyone will benefit from Google's security controls." The Consumer Watchdog letter to Villaraigosa, dated Oct. 18, 2011, claimed that "a mere 17,000 city employees use the Google system while 13,000 LAPD and other employees involved in law enforcement cannot make the move."
A Google spokesperson, without clarification, issued the following statements, asserting that its competitors were engaged in a publicity stunt, and that the city introduced new requirements to meet.
"This is just the latest in a long list of press stunts from a group that admits to working closely with our competitors," Google stated. "We are meeting our commitments to the City of Los Angeles. Indeed, the City recently renewed their Google Apps contract for 17,000 employees, and the project is expected to save Los Angeles taxpayers millions of dollars.
"The City has acknowledged Google Apps is more secure than its current system. Along the way they've also introduced new requirements which require work to implement in a cloud computing environment, and we've presented a plan to meet them at no additional cost."
The contract, established on Nov. 20, 2009, was originally estimated at $7.2 million. One of the failing bids for the contract came from Microsoft. Since then, the two companies have been locked in public relations battles over cloud security issues on public sector contracts.
The city's complaints appear to have been ongoing for at least a year. Consumer Watchdog dredged up an earlier memo from Levin on the matter, from December 2010, in which she said that communications from Google and CSC on the contract had "risen to the level of misrepresentation," according to a Los Angeles Times article.
The city is now requiring CSC and Google to implement a "Second Amendment" in the contract. It requires them to pay the city for its costs running GroupWise through June 30, 2011, as well as "for the period of July 1, 2011 through November 20, 2012." The city also will use the Google Apps for Government Edition at no extra cost. The original contract specified Google Apps Premier Edition.
Google Apps Premier Edition met Federal Information Security Management Act (FISMA) standards in July 2010, according to a U.S. General Services Administration official. Given that fact, it's not exactly clear why the city is also requiring compliance with the DoJ's security spec.
CSC released a statement on the matter on Wednesday, claiming success in migrating 17,000 city government users to Google Apps, with the exception of Los Angeles' law enforcement agencies. CSC is working with the city on the DoJ security requirements it says were added to the original contract.
"Subsequent to the award of the original contract, the City identified significant new security requirements for the Police Department," CSC said in an e-mailed statement. "CSC and Google worked closely with the City to evaluate and eventually implement the additional data security requirements, which are related to criminal justice services information ('CJIS'), and we're still working together on one final security requirement."
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.