Cybersecurity & Tech

The Cyber Regulators Are Coming for the Cloud

David Forscey
Tuesday, April 20, 2021, 10:17 AM

We need to treat the cloud computing sector like the critical infrastructure it has become.

The Amazon Web Services office in Houston, TX. (Tony Webster, https://tinyurl.com/ytzc422a; CC BY 2.0, https://creativecommons.org/licenses/by/2.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

Today’s cloud computing industry is as important as it is complicated, a critical and opaque sector that undergirds the economy but that few people truly understand. Cloud services have become a pillar of digital society, supporting nonstop innovation. They also create interdependencies that generate a wellspring of concentrated risk. Ensuring that the various subsectors of the cloud industry maintain the resilience of cloud-based technology resources is therefore a matter of profound public importance. The federal government should revisit its long-standing hands-off approach toward this industry to reflect the national security interests at stake.

As digital technology has advanced, two trends magnified the risks of malicious attacks carried out via cyberspace. Market consolidation steered more and more users toward a smaller set of software vendors, some of whom grew their installed base to hundreds of millions or billions of devices. At the same time, the explosive growth in cloud computing since the 2000s has led more organizations to link core business functions to the cloud.

Countless organizations, including critical infrastructure owners and operators such as telecommunications companies, banks, and power companies, now depend on a growing variety of cloud services to manage essential data and run core business functions. Cloud infrastructure vendors sell remote access to computing hardware, allowing customers large and small to build operations around cheaper, more flexible software. Cloud platform companies offer online platforms that make it easier for cloud application developers to write stable software programs that end users can access from anywhere. Some businesses, including so-called hyperscale providers (think Amazon, Microsoft, Google and Oracle), compete in each of these areas.

Market consolidation combined with the popularity of interdependent cloud services has created dangerous opportunities for cyber adversaries to scale their attack campaigns. By compromising or disrupting access to a single cloud service, attackers can inflict serious harm on any of the numerous organizations—including cloud companies and their customers—that might depend on it. If an essential cloud infrastructure provider like Amazon Web Services ceased functioning for even a few days (a nightmare scenario), the impact could be severe.

The Atlantic Council’s recent report on the Sunburst espionage incident underscores that this problem is not theoretical. The Russian government successfully targeted Microsoft’s identity products, including those in the cloud, in conjunction with software supply chain attacks, to remain undetected and steal data from multiple federal agencies and hundreds of Fortune 500 companies. This campaign will not be the last, and the attackers certainly could have caused much greater damage.

In short, the resiliency of cloud companies big and small, including infrastructure, platform, and application providers, is not a niche policy topic; it is a core national security concern. Yet surprisingly, outside of federal contracts, federal law does not impose any general obligations on cloud companies to minimize the chance that accidents or malicious attackers might compromise, disrupt or disable cloud-based services. It would be unthinkable to absolve nuclear power utilities of the responsibility to protect against cyberattacks, which is why the Nuclear Regulatory Commission issues stringent cybersecurity rules to that effect. When it comes to cloud computing, the stakes are different but equally serious. Cloud services are really that important, and the sector “holds a vast amount of public trust.”

When an industry becomes too important to fail, blindly trusting the market to self-regulate becomes unwise. It marks the moment when the government, representing the public interest, is supposed to incentivize broader risk management practices that ensure continuity of the economy. Regulation is an important (although often clumsy) tool to mandate practical measures that address low-probability, high-consequence risks. This is true for other sectors of critical infrastructure, such as energy and finance, and it is true for the cloud industry.

The largest hyperscale cloud companies like Amazon and Google already invest billions to harden the cybersecurity of their systems, but regulation still has a role in pushing these companies to act with the broader public interest in mind. As seen with the 2008 financial crisis or the electric grid failures in Texas, market incentives alone do not guarantee proper risk management by even the most important critical infrastructure stakeholders.

Nor should policymakers and regulators overlook smaller (non-hyperscale) cloud providers. Firms such as Cognizant, Infosys, or DigitalOcean are successful businesses that might already invest appropriately in cybersecurity to protect themselves and their customers. But because of the complex and often unseen interdependencies that define a cloud-based digital economy, a compromise at one of these companies can ripple through many other organizations. This means that some cloud providers are more critical to the nation’s digital resilience than they—or anyone, in some cases—understand. Policy and regulation can ensure these for-profit businesses do not underrate or ignore their firms’ potential responsibility as an important element of national resilience.

Policymakers can start treating the cloud sector as the critical infrastructure it is by rethinking how the federal government collaborates with cloud providers large and small. Congress recently created a Joint Cyber Planning Office within the Cybersecurity and Infrastructure Security Agency and the new Office of the National Cyber Director inside the White House. As the Atlantic Council explains, these two organizational changes present an opportunity to combine the federal government’s strategic insights—why, how, and when the Russian government might compromise cloud companies and the customers they serve—with the private sector’s advanced tools and talent to mitigate and thwart potential attacks to critical cloud services.

Although such collaborative initiatives might become ensnared in disagreements over government regulation, mandatory rules are coming in one form or another. The Biden administration is readying an executive order requiring software companies (presumably including cloud businesses) to notify their government customers when they have a security breach. While the devil is in the details, the spirit of this order would strike many Americans as common sense. National security officials need to learn quickly about security incidents affecting cloud services that federal workers use to store and exchange sensitive data. Powerful cybersecurity advocates such as Sen. Mark Warner are calling for a broader federal breach notification law.

Federal regulators should go further than post-breach incident reporting if they want to incentivize preventive measures that meaningfully reduce the concentrated risks presented by the U.S. economy’s dependence on the cloud industry. Policymakers should impose a general requirement by all cloud providers, whether publicly traded or not, to institute cybersecurity protections that are “reasonable” given their size, revenue and the potentially critical role of their customers. Congress and many states have relied on this sliding scale approach to mandate privacy safeguards for consumers’ personal information in other sectors. In this case, however, the objective would not be to prevent unauthorized access to customer data, but to enforce measures that enhance the availability and resiliency of popular and critical cloud services themselves. While a general requirement lacking specific standards might disappoint regulatory hawks, the pace of change in the cloud industry coupled with a lack of technical understanding by many policymakers counsels in favor of less specificity for now. The first steps toward ensuring that senior executives and board members overseeing cloud companies internalize their responsibility as critical infrastructure operators need to happen now.

The coronavirus pandemic has accelerated the importance of cloud computing. No sector of similar importance has escaped regulatory scrutiny, and in the wake of the Sunburst/SolarWinds fiasco, more policymakers are asking how adversaries might use the cloud against U.S. and allied interests. Leading cloud infrastructure and service providers should recognize the shifting winds and begin working proactively with the policy community to ensure that, when it comes, government action helps more than it hurts.


David Forscey is Managing Director for Aspen Digital’s cyber & technology programming at the Aspen Institute. Previously he worked in the Resource Center for State Cybersecurity at the National Governors Association and as National Security Fellow at Third Way. He graduated from Georgetown University Law Center in 2015 and earned his undergraduate degree from the University of Virginia in 2011.

Subscribe to Lawfare