FTC Joins the Cloud Security Discussion
On March 22, 2023, the Federal Trade Commission (FTC or Commission) issued its Solicitation for Public Comments on the Business Practices of Cloud Computing Providers. The FTC is seeking information about the market power and business practices of cloud providers and what security steps providers take to protect consumer data. The FTC’s interest in the intersection of cloud computing, competition, and security can have major implications for both cloud providers and any enterprise that uses cloud services, especially if the FTC starts flagging certain activities as anti-competitive or investigating the security practices of these providers. This inquiry may also have implications for other large third-party service providers, like managed services or Internet and security services, if the government makes recommendations for duties of care or standard contract terms. Any parties interesting in commenting must submit comments by May 22, 2023.
On the issue of market power and business practices of cloud providers, the Commission requests comments on a variety of operational issues. Topics include the cloud computing infrastructure; the specialization of specific cloud operators; competitive dynamics across layers of cloud computing; and ability of cloud users to negotiate contracts with cloud providers. The Commission is focused on potential barriers for new market entrants and the current level of competition between cloud providers. On the topic of security of consumer data, the Commission seeks additional information on topics ranging from which industries and infrastructures rely on a small number of cloud providers to the representations providers make to customers about data security.
The FTC’s interest in the competitive practices of cloud providers follows on the July 2021 Executive Order on Promoting Competition in the American Economy, which identified Internet platforms among several other industries for potential focus. The FTC has already moved forward with proposed rules for items identified in the Executive Order, including a proposal to ban non-compete agreements. This solicitation on cloud providers is another step in the FTC’s implementation of the competition Executive Order.
The FTC also joins a growing list of federal agencies exploring cloud security and the role of cloud providers in cybersecurity for critical infrastructure, as the FTC asks specifically about industries such as defense, transportation, healthcare, and financial services. As the recently released National Cybersecurity Strategy (Strategy) heralded, the Biden Administration is shifting federal cybersecurity posture from a collaborative, voluntary model to one that will establish baseline cybersecurity expectations and regulations for industry. The Strategy seeks to “rebalance the responsibility for cybersecurity to be more effective and equitable,” shifting the burdens from end users to the “most-capable and best-positioned” actors. Cybersecurity and Infrastructure Security Agency (CISA) Director Easterly last week described the imperative to do more to protect “target-rich, cyber-poor” sectors.
Cloud providers fall within the set of businesses that the Administration sees as well-positioned to enhance the overall national cybersecurity posture, as acting National Cyber Director Kemba Walden called on cloud service providers to “step up” in her remarks rolling out the Strategy, while Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger noted that cloud providers enable smaller businesses to increase their cybersecurity capabilities through outsourcing, but also lamented that cloud security is often sold separately from cloud services and expressed the Administration’s goal of ensuring that cloud security is “baked in” to cloud services.
As the FTC’s questions show, the particulars of how to push the cloud industry to enhance customers’ cybersecurity raise legal issues and difficult policy tradeoffs. The FTC asks how existing industry regulations such as those for the financial services and healthcare industries affect the cloud services market. Acting National Cyber Director Walden noted that the White House sees cloud providers as a potential “force multiplier” that could help provide baseline cybersecurity capabilities across critical infrastructure industries—but those industries also have widely different existing regulatory requirements, capabilities, and mission sets. In addition, the cybersecurity goal of leveraging a few, large, capable cloud providers can be seen in tension with the competitive concerns around the market power of such providers. Moreover, establishing cybersecurity rules for cloud providers could create barriers to entry for new cloud services companies, particularly if they have to tailor cybersecurity capabilities to a wide range of critical infrastructure sectors, each with their own set of specific cybersecurity requirements.
One of the more challenging cybersecurity policy issues the FTC raises is third-party risk management. The National Institute of Standards and Technology (NIST) has identified both supply chain risk management and cloud integration as focus areas as it looks to update the Cybersecurity Framework (CSF). For example, stakeholders have asked NIST to address guidance for customers in managing supplier relationships, including for vetting providers and developing contract terms, in the next CSF. The FTC’s solicitation asks specifically about due diligence for selection of cloud providers, as well as how customers monitor the security that their cloud providers offer.
In addition, the FTC asks how customers and providers allocate responsibility for incident response when there is a data breach involving data stored in the cloud. Here, too, the FTC steps into a hot-button issue, as the responsibility for reporting breaches in third-party services is a key policy issue that CISA will need to address in its rulemaking for the cybersecurity incident reporting rule created by the Cybersecurity Incident Reporting for Critical Infrastructure Act of 2022. The FTC also asks about how cloud providers identify and notify customers of security risks—a focus consistent with the Strategy’s focus on expanding transparency around cybersecurity in the marketplace, including through the ongoing Internet of Things labeling efforts.
This uptick in regulatory focus on cloud computing was also reflected in the U.S. Department of Treasury’s February 2023 report on Financial Services Sector’s Adoption of Cloud Services. The report explored the growing use of the cloud by the financial sector for operational and data storage purposes and identified what issues can affect the operational resilience of the financial services sector. Specifically, the report identified cybersecurity weaknesses in the cloud computing sector, including: (1) insufficient transparency to support due diligence and monitoring by financial institutions; (2) gaps in human capital and tools to securely deploy cloud services; (3) exposure to potential operational incidents, especially those originating at a cloud service provider; (4) potential impact of market concentration in cloud service offerings on the financial sector’s resilience; and (5) international landscape and regulatory fragmentation. Treasury further recommended cloud service providers adopt security practices such as a comprehensive risk management and oversight program for third-party relationships and authentication and encryption policies. The FTC’s solicitation could be the first step in moving towards a rulemaking that addresses the concerns laid out in the Treasury report.
The FTC’s request for comment on cloud security is the latest in the government-wide trend of moving toward increased regulation and scrutiny of the cybersecurity ecosystem. The FTC’s interest in some of the most active pieces of the cybersecurity policy and regulation landscape could further complicate what is already a challenging and rapidly changing environment for regulated industries. Cloud providers and companies that rely on cloud services should consider providing input to the FTC to ensure the Commission understands the many challenges and tradeoffs as it explores competition and security in the cloud services market.