Governments and businesses have spent two decades flocking to the cloud — entrusting some of their most sensitive data to tech giants that promise near-limitless storage, powerful software and the expertise to keep it safe.
Now the White House is concerned that the cloud is becoming a huge security hole.
So it’s embarking on the nation’s first comprehensive plan to standardize the security practices of cloud providers like Amazon, Microsoft, Google and Oracle, whose servers store data for clients ranging from mom-and-pop businesses to the Pentagon and the CIA and computing power.
Acting National Network director Kemba Walden said in an interview that the cloud has “become an integral part of our everyday lives.” “If it is breached, it could cause massive and potentially catastrophic damage to our economy and our government.”
Essentially, the cloud is now “too big to fail,” she said.
Fear: For all their security expertise, cloud computing giants offer focused targets that hackers can leverage to compromise or disable a wide range of victims at once. The collapse of a major cloud provider could cut off hospitals’ access to medical records; cripple ports and railroads; disrupt software that helps financial markets thrive; and wipe out the databases of small businesses, public utilities and government agencies.
“The failure of a single cloud provider could destroy the internet like a cascade of dominoes,” said Mark Rogers, chief security officer at hardware security firm Q-Net Security and former head of information security at content delivery provider Cloudflare.
As it turns out, cloud servers aren’t as secure as government officials had hoped. Hackers from countries such as Russia use the cloud servers of companies such as Amazon and Microsoft as springboards to attack other targets. Cybercriminal groups also regularly rent infrastructure from U.S. cloud providers to steal data or blackmail companies.
Among other measures, the Biden administration recently said it would require cloud providers to verify the identities of their users to prevent foreign hackers from renting space on U.S. cloud servers (implementing an idea first floated in a Trump administration executive order). Last week, the U.S. government warned in its National Cybersecurity Strategy that more cloud regulations were on the horizon — and said it planned to identify and close regulatory gaps in the industry.
In a series of interviews about this new, tougher approach, administration officials emphasized that they are not abandoning cloud computing. Instead, they’re trying to ensure that rapid growth doesn’t translate into new security risks.
Cloud services can “relieve a lot of the security burden from end users,” Walden said, freeing them from difficult and time-consuming security practices such as applying patches and software updates. Many small businesses and other customers simply lack the expertise and resources to protect their data from increasingly sophisticated hackers.
The problem comes when these cloud providers don’t provide the level of security they can.
Cloud providers have so far not done enough to stop criminals and nation-state hackers abusing their services to launch attacks inside the United States, officials argue, pointing specifically to the 2020 SolarWinds espionage campaign in which Russian spies were part of the Is renting servers from Amazon and GoDaddy. They used the information to quietly gain access to at least nine federal agencies and 100 companies for months.
Rob Knake, deputy director of the National Network for Strategy and Budget, said the risk was only going to grow. Foreign hackers, he said, have become better at “spinning up and shutting down” new servers quickly — moving so quickly, in fact, from one leased service to another that U.S. law enforcement is drying up new leads. faster than you can track them down.
On top of that, U.S. officials have expressed great dismay that cloud providers often charge customers extra for added security protections—both exploiting the need for such measures and leaving security in place when companies decide not to spend the extra money. loophole. The practice complicates the federal government’s investigation into the SolarWinds attack because agencies that fell victim to Russian hacking did not pay extra for Microsoft’s enhanced data logging capabilities.
“The reality is that cloud security today is often separate from the cloud,” Anne Neuberger, deputy national security adviser for cyber and emerging technologies, said at a launch event for the new cyber strategy last week. “We need to get to a place where cloud providers build security into the mix.”
So the White House is planning to use every power at its disposal to make it happen — limited though they are.
“In the U.S., we don’t have a national regulatory agency for cloud. We don’t have a Department of Communications. None of us are going to come out and say, ‘It’s our job to regulate cloud providers,'” said the Office of Strategy and Budget’s Knack. The cloud “needs to have a regulatory structure built around it,” he said.
Knake’s office is racing to find new ways to regulate the industry using a “hodgepodge” of existing tools, such as industry-specific security requirements such as banking, and a project called FedRAMP, which builds cloud provisioning baseline controls that vendors must meet in order to sell to the federal government.
Part of the difficulty is that neither governments nor companies using cloud providers fully understand what security protections cloud providers have in place. In a study last month on the use of cloud services by the U.S. financial sector, the Treasury Department found that cloud companies provided “insufficient transparency to support due diligence and monitoring” and that U.S. banks could not “adequately understand the risks associated with cloud services.”
But government officials say they see signs that attitudes among cloud providers are changing, especially as the companies increasingly look to the public sector as a source of new revenue.
“Ten years ago, they would have said, ‘impossible,'” Knack said. But the major cloud providers “have now realized that if they’re going to achieve the growth that they want, if they’re going to get into key areas, they actually need to not only get out of the way, but they need to provide the tools and the mechanisms to demonstrate compliance Sex becomes easy,” he said.
The push for more regulation met with no immediate opposition from the cloud industry.
“I think it’s a great fit,” said Phil Venables, Google’s chief information security officer.
But at the same time, Venables argues that cloud providers are already heavily regulated, noting the requirements that FedRAMP and cloud providers must meet in order to work with regulated entities such as banks, defense industrial base companies, and federal agencies — a very tool Knake describes as “Hodgepodge”.
The White House has outlined a more aggressive regulatory regime in its new cyber strategy. It proposes to hold software makers accountable for insecure code and impose stricter security requirements on critical infrastructure companies such as cloud providers.
“The market doesn’t provide all the necessary measures to ensure it’s not used inappropriately, that it’s resilient and that it looks after the small and medium-sized businesses under its umbrella well,” said John Costello, the recently departed chief of staff for the Office of the State Cyber Director.
Cloud companies are “eager” to work with the White House on “a unified approach to security requirements across agencies,” said Ross Norduft, executive director of the Digital Innovation Alliance, a technology trade group whose members include cloud giant Palo Alto Networks. , VMWare, Google Cloud and AWS – Amazon’s cloud computing division. He also said the company already complied with existing “extensive security requirements” for specific industries.
A spokesperson for Microsoft (which is not a member of ADI) referred POLITICO to a blog post published Thursday by a Microsoft executive that made a similar assertion that the company looks forward to working with agencies to develop appropriate regulations. AWS said in a statement that it was prioritizing security, but did not address whether it would support additional oversight. Oracle did not respond to a request for comment.
If the government fails to find a way to ensure cloud resilience, it fears the consequences could be devastating. Cloud providers have effectively become “three or four single points of failure” for the U.S. economy, Knake said.
An outage lasting three to six days at one of the big three cloud providers could cost $15 billion, according to a 2017 study by insurance giant Lloyd’s.
Such a breakdown could be triggered by a cyberattack on a major cloud provider, a natural or man-made disaster that damages or cuts power to a major data center, or simply a failure in the design and maintenance of core cloud services.
If the White House can’t get what it wants by using existing regulations and persuading companies to improve their practices voluntarily, it will have to storm Congress. This may be its biggest hurdle.
Some Republicans have criticized the White House’s national cybersecurity strategy for putting too much emphasis on regulation.
Rep. Mark Green, R-Tennessee, chairman of the House Homeland Security Committee, and Rep. Andrew, R-Tennessee, said: “We must clarify the roles and responsibilities of federal cybersecurity and not create additional burdens to minimize confusion and redundancies in government.” Gabarino (RN.Y.), head of its network and infrastructure protection subcommittee, said in a statement last week.
As gatekeepers on the House Homeland Security Committee, Gabarino and Green wield de facto veto power over any major cybersecurity legislation the White House might bring to Congress.
In the short term, this eliminates the possibility of more ambitious cloud policy proposals outlined or implied in the new White House strategy
That could mean governments will have to step up pressure on companies to do more of their own.
Trey Herr, a former senior security strategist who worked on cloud computing at Microsoft, said cybersecurity agencies could, for example, require the heads of major cloud providers to appear before the government’s top cyber officials on a semi-regular basis and demonstrate that they “reacted appropriately.” measures to manage risks within its systems.
The major cloud vendors “have many ways to talk about the security of one product, but very few ways to manage the risk of all of these products bundled together,” said Hull, who now leads the Atlantic Council’s Cyber Governance Initiative people.
“It’s one thing to build a helipad on your roof,” he said. But “No one asked if the house was meant to handle that helipad in the first place. “