The cloud “has become essential to our daily lives,” Acting National Cyber Director Kemba Walden said in an interview. “If it is disrupted, it could create potentially catastrophic disruptions for our economy and our government.”
In essence, he said, the cloud is now “too big to fail.”
Fear With all of their security expertise, the cloud giants offer focused targets that hackers can use to compromise or disable a wide range of victims at once. The collapse of a major cloud provider could deprive hospitals of access to medical records. paralyze ports and railways; the software that helps financial markets move is corrupted; and delete databases among small businesses, utilities, and government agencies.
“A cloud provider alone can take down the Internet like a stack of dominoes,” said Mark Rogers, chief security officer at hardware security firm Q-Net Security and former chief information security officer at content delivery provider Cloudflare.
And cloud servers have not proven to be as secure as government officials had hoped. Hackers from countries like Russia have used the cloud servers of companies like Amazon and Microsoft as springboards to launch attacks on other targets. Cybercriminal groups also regularly lease infrastructure from US cloud providers to steal data or extort money from companies.
Among other moves, the Biden administration recently said it would require cloud providers to verify the identities of their users to prevent foreign hackers from renting space on US cloud servers (implementing an idea first floated in a Trump administration executive order). And last week, the administration warned in its national cybersecurity strategy that more cloud regulations are coming, saying it plans to identify and close the industry’s regulatory loopholes.
In a series of interviews about this new, tougher approach, administration officials emphasized that they are not abandoning the cloud. Instead, they are trying to ensure that rapid growth does not translate into new security risks.
Cloud services can “take a lot of the security burden off end users,” freeing them from complex and time-consuming security practices like patches and software updates, Walden said. Many small businesses and other customers simply don’t have the expertise and resources to protect their own data from increasingly sophisticated hackers.
Problems arise when these cloud providers do not provide the level of security they could.
Until now, cloud providers have not done enough to prevent criminal and national hackers from misusing their services to launch attacks inside the US, officials have argued, pointing in particular to the 2020 SolarWinds spy campaign in which Russian hackers escaped detection. part by renting servers from Amazon and GoDaddy. For months, they used them to slip into at least nine federal agencies and 100 companies.
That risk is only growing, said Rob Knake, deputy national cyber director for strategy and budget. Foreign hackers have become more adept at “spinning and fast-spinning” new servers—in effect, switching from one leased service to another so quickly that new connections dry up faster for US law enforcement than it can track them. .
In addition, US officials have expressed considerable frustration that cloud providers often charge customers to add security protections, both taking advantage of the need for such measures and leaving a security hole when companies decide not to spend the extra money. That practice complicated the federal investigation into the SolarWinds attack because the agencies that fell victim to the Russian hacking campaign did not pay extra for Microsoft’s enhanced data logging features.
“The reality is that today, cloud security is often separated from the cloud,” said Anne Neuberger, deputy national security adviser for cyber and emerging technologies, at an event last week for the new cyber strategy. “We need to get to a place where cloud providers are supported by this.”
So the White House plans to use whatever powers it can get to accomplish this, however limited.
“In the United States, we don’t have a national cloud regulator. We do not have a Ministry of Communications. We don’t have anyone who will push and say: “It’s our job to regulate the cloud providers,” says Knake of the Office of Strategy and Budget. The cloud, he said, “must have a regulatory structure around it.”
Knake’s office is struggling to find new ways to monitor the industry, using a range of existing tools, such as security requirements for specific industries, such as banking, and a program called FedRAMP, which sets baseline controls that cloud providers must meet with federal to sell. government.
What makes this difficult is that neither the government nor the companies using cloud providers know exactly what security protections cloud providers have in place. In a study last month Regarding the US financial sector’s use of cloud services, the Treasury Department found that cloud companies provide “insufficient transparency to support due diligence and monitoring” and US banks may not “fully understand the risks associated with cloud services”.
But government officials say they are seeing signs that attitudes toward cloud providers are changing, especially as companies increasingly see the public sector as a source of new revenue.
“Ten years ago, they would have said ‘no way,'” Knake said. But the big cloud providers “have now realized that if they want to have the growth that they want to have, if they want to be in the critical segments, they really have to not only be non-disruptive, but they have to provide tools and mechanisms. to make it easier to prove compliance regulations,” he said.
The push for more regulations isn’t drawing immediate objections from the cloud industry.
“I think it’s very appropriate,” said Phil Venables, Google’s chief information security officer.
But at the same time, Venables argued that cloud providers are already subject to many regulations, pointing to FedRAMP and the requirements that cloud providers must meet to work with regulated entities such as banks, defense industrial base companies and federal agencies. tools Knake described as a “hodgepodge”.
The White House has outlined a more aggressive regulatory regime in its new cyber strategy. It proposed holding software makers accountable for insecure code and imposing stronger security mandates on critical infrastructure companies such as cloud providers.
“The market has not put in place all the measures needed to ensure that it is not misused, that it is flexible and that it is a good steward of the small and medium-sized businesses under its umbrella,” says John Costello, recently retired. Chief of Staff, Office of the National Cyber Director.
Cloud computing companies “want” to work with the White House on a “harmonized approach to security requirements across the board,” said Ross Nodurft, CEO of the Alliance for Digital Innovation, a technology trade group that includes cloud giant Palo Alto Networks as members. , VMWare, Google Cloud and AWS, Amazon’s cloud computing arm. He also said companies already comply with “extensive security requirements” that exist for certain industries.
A spokesperson for Microsoft, which is not a member of ADI, referred POLITICO to a Thursday’s blog post A Microsoft executive making similar claims said the company expects to work with the agencies to develop appropriate regulations. AWS’s statement said it prioritizes security, but did not address whether it supports additional settings. Oracle did not respond to a request for comment.
If the government can’t find a way to ensure cloud resilience, he fears the fallout could be devastating. Cloud providers have effectively become the “three or four single points of failure” for the US economy, Knake said.
According to a 2017 study by insurance giant Lloyds, a three- to six-day outage at one of the three leading cloud providers could cost $15 billion.
Such a collapse could be caused by a cyberattack on a major cloud provider, a natural or man-made disaster that disrupts or shuts down power to a major data center, or simply a failure in the design and maintenance of a major cloud service.
If the White House can’t get the results it wants by using existing regulations and forcing companies to voluntarily improve practices, it will have to hit out at Congress. And that may be his biggest obstacle.
Some Republicans have already criticized the White House’s National Cybersecurity Strategy for its heavy emphasis on regulation.
“We need to clarify federal cybersecurity roles and responsibilities, not create additional burdens, to minimize confusion and redundancies across government,” he said. Mark Green (R.-Tenn.), Chairman of the Homeland Security Committee of the House of Representatives and R. Andrew Garbarino (RN.Y.), the head of its cyber and infrastructure protection subcommittee, said in a statement last week.
As gatekeepers on the House Homeland Security Committee, Garbarino and Green have de facto veto power over any major cybersecurity legislation the White House might send to Congress.
In the short term, that rules out the more ambitious cloud policy proposals outlined or hinted at in the new White House strategy.
That could mean the administration will have to increase pressure on companies to do more on their own.
Trey Herr, a former senior security strategist who worked on cloud computing at Microsoft, said that cybersecurity agencies could, for example, require the heads of major cloud providers to appear before top government cyber brass on a semiannual basis and prove that they resume appropriate steps to manage the risk in their systems.
The big cloud providers “have a lot of ways to talk about the security of one product, but few to manage the risk associated with all those products,” said Herr, who is now director of the Atlantic Council’s Cyber Government Initiative.
“It’s one thing to do a good job of building a helicopter on top of a house,He said: But “no one asks if the house is built on that helipad.”