A Few Questions on Cybersecurity and the Cloud
Published by The Lawfare Institute
in Cooperation With
On Aug. 31, the Carnegie Endowment for International Peace’s Cyber Policy Initiative released the report “Cloud Security: A Primer for Policymakers,” written by Tim Maurer and Garrett Hinck, and the Atlantic Council’s Cyber Statecraft Initiative launched “Four Myths About the Cloud: The Geopolitics of Cloud Computing” by Trey Herr. The Carnegie report focuses on (a) the question of what the cloud is, (b) the evolution of the cloud and its market, and (c) cloud security, including a review of past cloud-related incidents and novel frameworks to think through key issues. The Atlantic Council’s report offers a brief primer on the concepts that undergird cloud computing and then takes on four myths about the interaction of cloud and geopolitics: (a) that all data is created equal, (b) that cloud computing is not a supply-chain risk, (c) that only authoritarian states distort the public cloud, and (d) that cloud providers do not influence the shape of the internet.
Below is a Q&A with the authors of both reports:
Question #1: How do you think about cybersecurity with respect to the cloud?
When thinking about cloud security from a public policy perspective, the need to address an existing public policy problem must be differentiated from the need to address an emerging public policy problem. The existing public policy problem is the rising cost of cyberattacks and the deteriorating cybersecurity landscape. Most organizations—governments and companies—struggle to protect themselves against efforts to undermine their information systems. Few organizations can rival the security teams of the large cloud service providers, so many opt to entrust these teams with their security. Policymakers must balance these benefits against the emerging risk of concentration—that increased reliance on a few major cloud service providers could expose societies writ large to systemic risks (see more here).
However, cloud computing security is rooted in shared responsibility. Cloud services provide organizations with a host of capabilities and make things like widespread automation easier, but they don’t relieve those organizations of responsibility for understanding and managing their cybersecurity. The same is true in the policy environment—cloud providers can offer answers with technology, but it’s up to customers to define the questions and up to policymakers to shape which questions and answers are important for the public good.
Question #2: What are the biggest popular misconceptions about cloud computing?
Two are most prominent.
First, there’s a misconception that a migration to the cloud will solve all of an organization’s cybersecurity problems. While it is generally true that a migration to the cloud will better protect most organizations, the migration itself creates a new, temporary risk, particularly for accidents. It then also requires a different security approach to manage the shared responsibility effectively.
Cloud providers do not operate either as democracies or as monoliths. The reality is somewhere in between; no organization the size of Microsoft or Amazon operates as a cohesive whole. Decision-making is fragmented, business units are competitive, and C-suite leadership is involved in overlapping political coalitions—and there’s even the odd coup. Companies make decisions by a mix of consensus and individual leadership, but these deliberations are largely opaque to the public and policy community. Contemporary models of corporate governance are an exemplary way to drive innovation while also keeping the trains running on time, but they get low marks for popular accountability and transparency. As cloud computing increasingly resembles utility infrastructure like power or water, these providers’ decisions will shape social and political outcomes, and this opacity will steadily become costlier to corporations and citizenry alike.
Oh, and the cloud isn’t literally made of clouds, despite the image reinforced by giant advertisements at subway stations, airports, on buses, and the like. The illusion of some fluffy, white ephemera where users store data, which automagically makes computing happen, obscures the realities of the very tangible hardware infrastructure and highly complex software architecture at the cloud’s foundation. It also obscures the fact that this is a hard-nosed business run primarily by a few giant tech companies.
Question #3: What will cloud governance look like in the future?
It will be messy. The industry is experiencing tremendous competitive pressure as cloud adoption accelerates, especially in Eastern Europe, parts of Africa and Asia. Governments are increasingly asserting the need for sovereignty over data and infrastructure, and this drives cloud providers to repeatedly modify their offerings and technical architecture. Some governments in Europe and, to a greater extent, China are putting pressure on foreign providers to help support domestic cloud competitors, further muddying the good-faith facade of security and privacy regulations. The political schism between the United States and China is slowly rippling into the cloud computing supply chain, forcing companies to reevaluate long-standing vendor relationships and reprice their own exposure to national security risks. As millions of cloud users emerge in Japan, India and Indonesia, the still largely transatlantic debates about data governance in the cloud will become yet more complex.
As other countries attempt to expand their domestic regulatory authority to encompass cloud service providers, either through the extraterritorial reach of domestic laws beyond national borders or by forcing companies to store and process data locally, cloud service providers will likely behave as other firms have in the past. Depending on the market, companies will (a) comply with the regulation for the largest and most important markets such as the U.S., (b) communicate that they comply with other countries’ regulations de jure, while de facto using only a few jurisdictions as internal benchmarks, or (c) decide not to enter or opt to leave markets that have overly onerous regulatory burdens.
Policymakers could respond with a multilateral regime with common standards akin to the creation of the SWIFT financial transactions network. However, in today’s geopolitical environment, such an outcome seems unlikely, especially considering that the largest cloud service providers are located in two countries: the U.S. and China. It is more likely that we will see a fragmented regulatory approach emerge along two dimensions. Along one dimension, fragmentation among jurisdictions will lead to individual countries and small groups of like-minded countries creating regulatory frameworks. Along the other dimension, fragmentation across sectors will lead to individual sectors starting to impose regulations that affect cloud service providers, for example, through third-party provisions.
Cloud governance today is characterized by overlapping security and certification regimes, a thicket of national and supranational data governance rules, and myriad contractual obligations from large enterprise firms and governments. Cloud governance in the future is likely to see these trends accelerate, creating more significant barriers to market entry, legitimate concerns over market concentration, and continuing fragmentation of the public cloud into national and regional community clouds.
Question #4: How can we think about the cloud and resilience today?
It is no secret that tech companies are fiercely competitive, so the willingness of companies to cooperate to tackle shared threats and systemic risks is limited. The U.S. television show “Silicon Valley” was so popular partly because the satirical show portrayed the rivalries among the leaders of the tech industry apparently rather than accurately. With many tech companies less than three decades old, their maturity as companies and as an industry pales in comparison to other industries such as the finance, automotive or aviation sectors. Even Wall Street firms, usually not known for being cozy with each other, come together to better protect themselves against cyber risks, for example, through sectorwide exercises or joint initiatives such as the Financial Systemic Analysis & Resilience Center.
Improved resilience of cloud computing will come from the diversity of cloud architecture providers and increased capacity for cloud providers to adapt to evolving threats and technology bases. The biggest threat to resilience is fragility and brittleness—systems that are unable to evolve in response to unexpected changes or that fail gracefully when overwhelmed or compromised. Security certification schemes for the cloud, including some government programs like the U.S. FedRAMP, were adopted from programs and controls built for information technology in the 1990s and 2000s. These programs sought to prescribe best practices as a way to manage risk. The problem is that these programs, and their tendency to prescribe specific tenets of system design, slow a cloud provider’s ability to adapt their systems or provide novel technical approaches to deliver the same outcome. Security regulations should emphasize outcomes and measurable system performance over architectural prescription. The lack of cloud-native security regulation in the United States provides opportunities for emerging markets like Poland and India, and more flexible security programs like the U.K.’s G-Cloud, to become models of resilience.
Question #5: Where are the next great geopolitical flashpoints over the cloud?
As the tensions between the U.S. and China are increasing, the geopolitics between the two powers is starting to affect not only the roll-out of 5G but also other technology policy issues—perhaps even cloud computing. With respect to cloud service providers, countries have limited options. They can choose among the main cloud service providers today that are located in either the U.S. or China. While some states are trying to build their own cloud infrastructure, such as the E.U. with its GAIA-X project, it is uncertain if these efforts will succeed. This will likely lead to a landscape where companies in countries that are allies and partners close to Washington will choose a U.S.-based cloud service provider over a Chinese-based one, whereas companies in countries close to Beijing will choose a Chinese one. The most interesting area to watch will be those countries aligned with neither Washington nor Beijing. In those countries caught in the middle, will companies decide to spread the risk among cloud providers from each of the two rivals or find the value proposition of one more appealing than the other?
Another next great flashpoint could well be hacker-for-hire firms operating out of Russia, India and parts of the Middle East. These groups build, and in some cases deploy, offensive cybersecurity capabilities on behalf of paying customers targeting users and organizations all over the world. As cloud adoption has accelerated, an increasing number of these targets are hosted on one provider’s cloud infrastructure. The challenge is that at large scale, these hacker-for-hire groups operate with some degree of benign neglect, if not complicity, from their host governments. As cloud providers increasingly sell to companies in these countries, even to these same governments, they will be forced to choose between, on the one hand, hampering the operation of these hacker-for-hire groups and protecting their users or, on the other, cozying up to new markets and regimes. The result is likely to ensnare the United States and other allied states as well.