Biden admin’s cloud security problem: ‘It could take down the internet like a stack of dominos’
The Biden administration is embarking on the nation’s first comprehensive plan to regulate the security practices of cloud providers.
Governments and businesses have spent two decades rushing to the cloud — trusting some of their most sensitive data to tech giants that promised near-limitless storage, powerful software and the knowhow to keep it safe.
Now the White House worries that the cloud is becoming a huge security vulnerability.
So it’s embarking on the nation’s first comprehensive plan to regulate the security practices of cloud providers like Amazon, Microsoft, Google and Oracle, whose servers provide data storage and computing power for customers ranging from mom-and-pop businesses to the Pentagon and CIA.
The cloud has “become essential to our daily lives,” Kemba Walden, the acting national cyber director, said in an interview. “If it's disrupted, it could create large potentially catastrophic disruptions to our economy and to our government.”
In essence, she said, the cloud is now “too big to fail.”
The fear: For all their security expertise, the cloud giants offer concentrated targets that hackers could use to compromise or disable a wide range of victims all at once. The collapse of a major cloud provider could cut hospitals off from accessing medical records; paralyze ports and railroads; corrupt the software that help financial markets hum; and wipe out databases across small businesses, public utilities and government agencies.
“A single cloud provider going down could take down the internet like a stack of dominos,” said Marc Rogers, chief security officer at hardware security firm Q-Net Security and former head of information security at the content delivery provider Cloudflare.
And cloud servers haven’t proved to be as secure as government officials had hoped. Hackers from nations such as Russia have used cloud servers from companies like Amazon and Microsoft as a springboard to launch attacks on other targets. Cybercriminal groups also regularly rent infrastructure from U.S. cloud providers to steal data or extort companies.
Among other steps, the Biden administration recently said it will require cloud providers to verify the identity of their users to prevent foreign hackers from renting space on U.S. cloud servers (implementing an idea first introduced in a Trump administration executive order). And last week the administration warned in its national cybersecurity strategy that more cloud regulations are coming — saying it plans to identify and close regulatory gaps over the industry.
In a series of interviews about this new, tougher approach, administration officials stressed that they aren’t giving up on the cloud. Instead, they’re trying to ensure that rapid growth doesn’t translate to new security risks.
Cloud services can “take a lot of the security burden off of end users” by relieving them of difficult and time-consuming security practices, like applying patches and software updates, said Walden. Many small businesses and other customers simply lack the expertise and resources to protect their own data from increasingly adept hackers.
The problems come when those cloud providers aren’t providing the level of security they could.
So far, cloud providers have haven’t done enough to prevent criminal and nation-state hackers from abusing their services to stage attacks within the U.S., officials argued, pointing in particular to the 2020 SolarWinds espionage campaign, in which Russian spooks avoided detection in part by renting servers from Amazon and GoDaddy. For months, they used those to slip unnoticed into at least nine federal agencies and 100 companies.
That risk is only growing, said Rob Knake, the deputy national cyber director for strategy and budget. Foreign hackers have become more adept at “spinning up and rapidly spinning down” new servers, he said — in effect, moving so quickly from one rented service to the next that new leads dry up for U.S. law enforcement faster than it can trace them down.
On top of that, U.S. officials express significant frustration that cloud providers often up-charge customers to add security protections — both taking advantage of the need for such measures and leaving a security hole when companies decide not to spend the extra money. That practice complicated the federal investigations into the SolarWinds attack, because the agencies that fell victim to the Russian hacking campaign had not paid extra for Microsoft’s enhanced data-logging features.
“The reality is that today cloud security is often separate from cloud,” Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said last week during a roll-out event for the new cyber strategy. “We need to get to a place where cloud providers have security baked in with that.”
So the White House is planning to use whatever powers it can pull on to make that happen — limited as they are.
“In the United States, we don't have a national regulator for cloud. We don't have a Ministry of Communication. We don't have anybody who would step up and say, ‘It's our job to regulate cloud providers,’” said Knake, of the strategy and budget office. The cloud, he said, “needs to have a regulatory structure around it.”
Knake’s office is racing to find new ways to police the industry using a ‘hodgepodge’ of existing tools, such as security requirements for specific sectors — like banking — and a program called FedRAMP that establishes baseline controls cloud providers must meet to sell to the federal government.
Part of what makes that difficult is that neither the government nor companies using cloud providers fully know what security protections cloud providers have in place. In a study last month on the U.S. financial sector’s use of cloud services, the Treasury Department found that cloud companies provided “insufficient transparency to support due diligence and monitoring” and U.S. banks could not “fully understand the risks associated with cloud services.”
But government officials say they see signs that the cloud providers’ attitude is changing, especially given that the companies increasingly see the public sector as a source for new revenue.
“Ten years ago, they would have been like, ‘No way,’” said Knake. But the major cloud providers “have now realized that if they want the growth that they want to have, if they want to be within critical sectors, they actually not only need to not stand in the way, but they need to provide tools and mechanisms to make it easy to prove compliance regulations,” he said.
The push for more regulations isn’t getting immediate objections from the cloud industry.
“I think that that's highly appropriate,” said Phil Venables, Google’s chief information security officer.
But at the same time, Venables argued that cloud providers are subject to plenty of regulation already, pointing to FedRAMP and the requirements cloud providers must satisfy in order to work with regulated entities such as banks, defense industrial base companies and federal agencies — the very tools Knake described as “hodgepodge.”
The White House outlined a more aggressive regulatory regime in its new cyber strategy. It proposed holding software makers liable for insecure code and imposing stronger security mandates on critical infrastructure companies, like the cloud providers.
“The market has not provided for all the measures necessary to ensure that it’s not being inappropriately used, that it’s resilient, and that it’s being good caretakers of the small and medium-sized business under its umbrella,” said John Costello, the recently departed chief of staff in the Office of the National Cyber Director.
Cloud computing companies are “eager” to work with the White House on a “harmonized approach to security requirements across sectors,” said Ross Nodurft, executive director of the Alliance for Digital Innovation, a tech trade group whose members include cloud giants Palo Alto Networks, VMWare, Google Cloud and AWS — the cloud computing arm of Amazon. He also said that companies already comply with existing “extensive security requirements” for specific industries.
A spokesperson for Microsoft, which is not a member of ADI, referred POLITICO to a Thursday blog post from a Microsoft executive making similar assertions that the company looks forward to working with agencies on crafting appropriate regulations. AWS said in a statement that it prioritizes security but did not address the question of whether it supports additional regulation. Oracle did not respond to a request for comment.
If the government fails to find a way to ensure the resilience of the cloud, it fears the fallout could be devastating. Cloud providers have effectively become “three or four single points of failure” for the U.S. economy, Knake said.
According to a 2017 study from the insurance giant Lloyds, an outage at one of the top three cloud providers lasting between three and six days could cause $15 billion in damages.
Such a collapse could be triggered by a cyberattack on a major cloud provider, a natural or human-caused disaster that disrupts or cuts power to a major data center, or simply a failure in the design and maintenance of a core cloud service.
If the White House can’t get the results it wants through using existing regulations and cajoling companies into improving practices voluntarily, it will have to hit up Congress. And that could be its biggest hurdle.
Some Republicans have already criticized the White House’s national cybersecurity strategy for its heavy emphasis on regulation.
“We must clarify federal cybersecurity roles and responsibilities, not create additional burdens, to minimize confusion and redundancies across the government,” Rep. Mark Green (R.-Tenn.), the chair of the House Homeland Security Committee, and Rep. Andrew Garbarino (R-N.Y.), head of its cyber and infrastructure protection subcommittee, said in a statement last week.
As gatekeepers of the House Homeland Security Committee, Garbarino and Green wield de facto veto power over any major cybersecurity legislation that the White House might send Congress.
In the short term, that eliminates the possibility of the more ambitious cloud policy proposals outlined or hinted at in White House’s new strategy
That could mean that the administration will have to increase pressure on the companies to do more on their own.
Trey Herr, a former senior security strategist who worked in cloud computing at Microsoft, said cybersecurity agencies could, for example, require the heads of the major cloud providers to appear before top government cyber brass on a semi-regular basis and prove that they’re taking adequate steps to manage the risk within their systems.
The major cloud providers “have plenty of ways to talk about the security of one product, but few to manage the risk of all those products tied together,” said Herr, who is now the director of the Atlantic Council’s cyber statecraft initiative.
“It’s one thing to do a good job building a helipad on the top of your house,” he said. But “no one is asking if the house is built to handle that helipad in the first place.”