The White House seeks to narrow the growing chasm between the immense power companies like Microsoft, Amazon, Google and Oracle wield over the country’s digital fortunes and the few tools the government has to ensure their cybersecurity practices keep more than their pocketbooks in mind. Above all, there is increasing concern within the White House that the U.S. economy is growing too reliant on a small number of companies whose risk management processes no one, at least not anyone outside the companies, seems to have much insight into.
The major cloud service providers are the world’s best at managing and securing cloud infrastructure. The U.S. government “knows better” regarding regulation and security guidance. Adding know-your-customer requirements to cloud providers is well-intentioned but pushing attackers to use services further from the reach of law enforcement. Several reports have been on possible incoming regulations impacting cloud providers.
The biggest threat right now to cloud infrastructure is more physical disasters than technical failures. The financial services industry is an example of how a sector diversifies activity across multiple cloud providers to avoid any points of failure. Critical infrastructure entities modernizing towards the cloud must consider disaster recovery plans. Most critical infrastructure entities need to be able to go entirely multi-cloud, limiting points of exposure. For all the talk of cyber attacks against cloud providers, the most significant impacts from cloud services going down have resulted from a power outage at AWS and when a data center at OVH burnt down.
The National Cybersecurity Strategy starts positively and discusses how the cloud can help security. The first strategic objective suggests using cloud-based services to improve the cybersecurity of critical sectors. Although that only raises the bar on the importance of enhancing security in the cloud. Additionally, the cloud is used relatively interchangeably in parts of the document. For example, “software as a service” and “infrastructure as a service” differ.
Executive Order 13984 makes it harder for attackers to host their malware and attacks on U.S. cloud providers by enforcing stronger “know your customer” checks. The most contentious strategic objective in the National Cybersecurity Strategy outlines the intent to implement EO 13984, which was published but never implemented in the final days of the Trump administration. The Biden administration is now looking at implementing this EO but explains for slightly different reasons in the cybersecurity strategy.
It particularly calls out foreign resellers, the idea to make them more liable and incentivized to prevent abuse. The strategy references the order to avoid the misuse of US-based infrastructure. It says the problem is that attackers often wipe their systems after using them, making it hard to determine who they are when those systems are analyzed; the EO notes the same dynamic. So they want more data on the end users stored by the cloud providers. This came just after the 2020 Solarwinds attack, and is likely related. But this wouldn’t have helped. We also have increasing geo-redundancy for critical data.
The National Security Agency and Cyber Command will be able to monitor more servers, which may be a more legitimate reason. However, the U.S. already has a domestic intelligence agency (the FBI) that has the remit to monitor such servers, albeit with more significant conditions attached. If you launch a powerful attack from a server in the U.S., the FBI will get access to it. Yes, it would make it easier for Cyber Command and NSA to perform signals intelligence because it’s no longer domestic traffic. The intention is to stop U.S. services from becoming bulletproof hosting. Ultimately, the trade-off is that even if the Cyber Command can go and monitor the servers, it’s harder for the FBI to go and grab a full copy of the server. Seizing a copy of the server is better, but it takes longer, and the data can be gone by then. Still, it gets complicated legally what the differences there are.
It’s a complicated balance. As a private researcher, I’ve gone to cloud providers and asked for copies of servers that attackers have used, and most of the time, they just ignore you. Still, after talking to their legal team, they give you a copy of the server, and it’s beneficial to be able to stop related attacks. There is a complicated balance here between privacy and security. We used to publicly have WHOIS data, which told you who owned domain names. But that data is no longer tracked, saving the domain resellers money and enhancing privacy, but hurting security.
Seeing a sorely needed update to the National Cybersecurity Strategy that considers the cloud’s primary importance is excellent. Still, to keep things in perspective, the greatest threat to cloud providers and their customers is power cuts and fires. So far, the Biden administration has received positive reviews for improving cyber resilience. The government can, should and already does regulate cloud providers under certain instances, such as FedRAMP, the framework for cloud-provided software. The progression of the U.S. and cloud provider regulation is necessary, and the impact could be huge.
Chris Doman is chief technology officer and cofounder of Cado Security.