Governments and businesses have spent two decades rushing to the cloud — entrusting some of their most sensitive data to tech giants that promised near-limitless storage, powerful software, and the know-how to keep it safe.
Now the White House fears that the cloud will become a huge security gap.
As a result, it is launching the country’s first comprehensive plan to regulate the security practices of cloud providers like Amazon, Microsoft, Google, and Oracle, whose servers provide data storage and computing power to customers ranging from mom-and-pop companies to the Pentagon and the United States CIA enough.
The cloud has “become essential to our daily lives,” said Kemba Walden, the acting national cyber director, in an interview. “If disrupted, it could cause major, potentially catastrophic disruption to our economy and our government.”
Essentially, she said, the cloud is now “too big to fail.”
The fear: Despite all the security expertise, the cloud giants offer concentrated attack surfaces with which hackers could compromise or paralyze a wide variety of victims at once. Collapse of a major cloud provider could cut off hospitals from access to medical records; shut down ports and railroads; corrupt the software that makes the financial markets buzz; and wipe databases in small businesses, public utilities, and government agencies.
“A single cloud provider that fails could bring the Internet down like a stack of dominoes,” said Marc Rogers, chief security officer at hardware security firm Q-Net Security and former head of information security at content delivery company Provider Cloudflare.
And cloud servers have not proven to be as secure as government officials had hoped. Hackers from countries like Russia have used cloud servers from companies like Amazon and Microsoft as springboards to launch attacks on other targets. Cybercriminal groups also regularly rent infrastructure from US cloud providers to steal data or blackmail companies.
Among other things, the Biden administration recently announced that it will require cloud providers to verify their users’ identities in order to prevent foreign hackers from renting storage space on US cloud servers (implementing an idea first demonstrated in a executive order of the Trump administration). And last week, in its national cybersecurity strategy, the government warned that more cloud regulation is to come – it plans to identify and fill regulatory gaps in the industry.
The story goes on
In a series of interviews about this new, harder approach, administration officials emphasized that they would not abandon the cloud. Instead, they try to ensure that rapid growth doesn’t introduce new security risks.
Cloud services can “offload much of the security burden for end users” by freeing them from difficult and time-consuming security practices like patching and software updates, Walden said. Many small businesses and other customers simply lack the expertise and resources to protect their own data from increasingly sophisticated hackers.
The problems arise when these cloud providers do not offer the level of security that they could.
So far, cloud providers haven’t done enough to prevent criminal and nation-state hackers from abusing their services to stage attacks inside the US, officials argued, notably citing SolarWinds’ 2020 spy campaign that made Russian spies the discovery escaped in part by renting servers from Amazon and GoDaddy. For months, they used this to sneak into at least nine federal agencies and 100 companies.
That risk is growing, said Rob Knake, deputy national cyber director for strategy and budget. Foreign hackers have become more adept at “booting up and shutting down quickly,” he said — in fact, they move from one hired service to the next so quickly that new leads for US law enforcement agencies dry up faster than they can track them down .
Additionally, U.S. officials have expressed deep frustration that cloud providers often charge customers for additional security measures — both to take advantage of the need for such measures and to leave a security gap if organizations choose not to spend the extra money. This practice complicated federal investigations into the SolarWinds attack, since the authorities who fell victim to the Russian hacking campaign had not paid extra for Microsoft’s advanced data-logging capabilities.
“The reality is that cloud security today is often disconnected from the cloud,” said Anne Neuberger, the deputy national security adviser for cyber and emerging technologies, during a launch event for the new cyber strategy last week. “We need to get to a point where cloud providers have security built into it.”
So the White House plans to use all the powers at its disposal to make that happen – however limited they are.
“In the United States, we don’t have a national regulator for the cloud. We don’t have a Ministry of Communications. We don’t have anyone who would step up and say, ‘It’s our job to regulate cloud providers,'” said Knake of the Office of Strategy and Budget. The cloud, he said, “needs a regulatory structure around it.”
Knake’s office is trying to find new ways to monitor the industry using a hodgepodge of existing tools such as: B. Security requirements for certain sectors — like banking — and a program called FedRAMP, which lays down basic controls that cloud providers must meet in order to sell them to the federal government.
This is partly complicated by the fact that neither the government nor companies using cloud providers know exactly what security measures cloud providers have in place. In a study of the U.S. financial sector’s use of cloud services last month, the Treasury Department found that cloud companies offered “insufficient transparency to support due diligence and oversight” and that U.S. banks “revealed the risks associated with cloud services could not fully understand”.
However, government officials are seeing signs that cloud providers’ attitudes are changing, especially as companies increasingly look to the public sector as a source of new revenue.
“Ten years ago they would have said, ‘No way,'” Knake said. But the big cloud providers “now realize that if they want the growth they want, if they want to be in critical sectors, they actually not only can’t stand in the way, they have to provide tools and mechanisms to enable that.” to simplify proof of compliance regulations,” he said.
The push for more regulation does not immediately meet with objections from the cloud industry.
“I think that’s very appropriate,” said Phil Venables, Google’s chief information security officer.
At the same time, however, Venables argued that cloud providers are already subject to numerous regulations, citing FedRAMP and the requirements cloud providers must meet to work with regulated companies such as banks, defense industry companies and federal agencies – the right tools Knake as ” mess” described.
The White House has outlined a more aggressive regulatory regime in its new cyber strategy. It proposed making software manufacturers liable for insecure code and imposing stricter security regulations on critical infrastructure companies such as cloud providers.
“The market hasn’t taken all the necessary steps to ensure it’s not being misused, that it’s resilient, and that it’s taking good care of the small and medium-sized businesses under its umbrella,” said John Costello, who recently left chief of staff in the Office of the National Cyber Director.
Cloud computing companies are “eager” to work with the White House on a “harmonized approach to cross-industry security requirements,” said Ross Nodurft, executive director of the Alliance for Digital Innovation, a tech trade group that includes the cloud giants Palo Alto Networks is owned by , VMWare, Google Cloud and AWS – the cloud computing arm of Amazon. He also said companies are already meeting existing “comprehensive security requirements” for specific industries.
A spokesman for Microsoft, which is not a member of ADI, referred POLITICO to a Thursday blog post by a Microsoft executive who made similar claims that the company looks forward to working with agencies to draft appropriate regulations. Amazon said in a statement that it prioritizes safety, but didn’t address whether it supports additional regulation. Oracle did not respond to a request for comment.
If the government doesn’t find a way to ensure cloud resiliency, it fears devastating consequences. Cloud providers have become “three or four single points of failure” for the US economy, Knake said.
According to a 2017 study by insurance giant Lloyds, an outage lasting between three and six days could cost one of the top three cloud providers $15 billion in damage.
Such a collapse could be triggered by a cyberattack on a major cloud provider, a natural or man-made disaster that disrupts or disrupts power to a large data center, or simply a failure in the design and maintenance of a central cloud service.
When the White House cannot get the results it wants by leveraging existing regulations and persuading companies to voluntarily improve practices, it must turn to Congress. And that might be his biggest hurdle.
Some Republicans have already criticized the White House’s national cybersecurity strategy for its heavy emphasis on regulation.
“We need to clarify cybersecurity roles and responsibilities at the federal level and not create additional burdens to minimize confusion and redundancies across government,” said Rep. Mark Green (R.-Tenn.), chair of the Homeland Security Committee House of Representatives, and Rep. Andrew Garbarino (RN.Y.), head of its subcommittee on cyber and infrastructure protection, said in a statement last week.
As gatekeepers of the House’s Homeland Security Committee, Garbarino and Green have de facto veto power over any major cybersecurity legislation the White House might send to Congress.
In the short term, this eliminates the possibility of the more ambitious cloud policy proposals outlined or hinted at in the new White House strategy
That could mean that the administration has to increase the pressure on companies to do more in-house work.
Trey Herr, a former senior security strategist who worked in cloud computing at Microsoft, said cybersecurity regulators could, for example, require the heads of the major cloud providers to appear biannually before top government cyber executives and prove that they’re taking hold appropriate measures to manage the risk in their systems.
The big cloud providers “have many ways to talk about the security of one product, but few ways to manage the risk of all these interconnected products,” said Herr, who is now director of the Atlantic Council’s Cyber Statecraft initiative is.
“It’s one thing to do a good job building a helipad on the roof of your house,” he said. But “no one is asking if the house is even built to handle that helipad.”