Google was recently caught by the DOJ and outed by Microsoft for not having FISMA (Federal Information Security Management Act) certification on its Google Apps for Government platform.
However, Mountain View had claimed otherwise in advertisements and official court documents. Of course, it should be noted that another cloud-based Google Apps product is actually FISMA certified, but it is the Premier version of Apps, rather than the government-specific product.
What Google should have done was apologize and expedited the certification process but, being Google, they decided to spin the arrogance dial and argue it didn’t really need certification.
There is actually now a reasonably good chance their certification on the Premier product will get pulled. Let me explain why.
Government 101: Dealing with Government in 2011
Let me put things in context if you’ve been living under a rock. Right now pretty much every regulatory employee in the US has been reminded they are “nonessential” and were used as hostages in the recent budget battle in congress.
Congress, who put them at risk, was at no risk themselves of losing salaries or critical benefits. It is pretty clear that the vast majority of these government folks won’t see raises for years and probably are at increased risk of being laid off or getting salary and/or benefit cuts.
Right now this is not a class of people you frack with particularly if you are a company run by a couple of billionaires which has a reputation for avoiding taxes, violating privacy laws, and putting out low quality products. (We won’t even talk about the quality of Google’s employees).
Google Says Regulators are RedundantGoogle’s response to this problem was to argue that because their less secure product was certified, their more secure product should be certified – as the process is largely redundant. It isn’t a big step to see Google thinks folks are just supposed to assume their compliance is redundant as well. Clearly, Google – showcasing incredible arrogance – is trivializing the process.
If there was ever a time to show government workers a lot of respect this would be it, and that is exactly what Google is not doing. Google is basically saying that they should have the right to decide how to apply critical certifications and while they, in this case, might even be right, that certainly isn’t the way government works.
You see, when you change anything you might break something that you didn’t originally consider. As such, whether you are getting a critical certification for software or obtain a planning department approval, you are required to follow procedure.
For example, I’m currently looking at improving the earthquake protection for my house and what I’m planning should make my home vastly safer than it is. That doesn’t mean I can forego planning commission approval because I think it is safer. Yes, I may be right (certainly hope so) but I can’t self-certify because I might not be – and lives likely depend on this retro-fit being right.
Now, Google doesn’t even have a good security reputation, so taking their word that they made something more secure isn’t something I’d advise anyone doing.
Similarly, I would say an architect who had a habit of building creative structures that often collapsed likely shouldn’t get a free pass or a rubber stamp for his or her plans.
Not only shouldn’t it happen ever, but in this particular case because of Google’s reputation, the process should be especially stringent. In addition, the government should revisit the company’s existing certification to make sure no one made a mistake during the original review.
Pissing Off Government Workers
One thing you’ll learn if you work with any certification body, particularly if you represent a large company, is not to piss them off because government workers, particularly during times like these, tend to stick together.
You piss off one group, by say suing them which Google is doing, and you may find another group decides to make an example of you.
You may recall that Microsoft effectively told the US Attorney General to go to heck (something that is on Redmond’s list of regrets) during one incredibly arrogant moment and they pretty much got carved up over the next decade.
The cost of arrogance when dealing with any branch of government right now may be a draconian response that Google hasn’t anticipated. At the very least they may not get the certification they need, but they may also lose the certification they’ve got. In addition, Google may suddenly find that the majority of government employees they are working with aren’t getting things done very quickly or even at all.
Wrapping Up: Don’t Muck with Government Employees this Year
Let’s just say that the lesson we may see played out here is that, particularly right now, getting in a government employee’s face is not a good idea. I should say this applies to everyone from a TSA employee at an airport, to the cop that pulls you over, to a tax auditor, to someone you want to certify a product.
These people work incredibly hard and they just got fracked by their employer and generally can’t do anything about it and are probably close to taking out their frustration on someone. Raising your hand and screaming “me me!” simply isn’t a good idea and there is a reasonably good chance Google may find out personally why that is the case.
After watching Microsoft’s experiences with excessive arrogance in the 90s it is beyond me why Google seems hell bent to repeat that experience.
Maybe their jobs are just too easy and they need that extra touch of difficulty that a pissed off government employee will gleefully provide to make their lives meaningful. Hey, good luck with that.
Rob Enderle is one of the last Inquiry Analysts. Inquiry Analysts are paid to stay up to date on current events and identify trends and either explain the trends or make suggestions, tactical and strategic, on how to best take advantage of them. Currently, he provides his services to most of the major technology and media companies. The opinions expressed in this commentary are solely those of the writer.