Tech Risk Assessments: Cloud Services Under the Microscope?
The old saying goes, personnel is policy. This may be particularly true at this point in federal cybersecurity policy, where multiple agencies and Congressional committees play changing roles, including expanding capacities in the National Security Council, an entirely new White House Office created by Congress, and the still-young Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS). Each announcement (and round of speculation), leaves observers wondering what it may mean for federal cybersecurity policy.
One new hire, Tim Maurer, a new Counselor for Cybersecurity to DHS Secretary Mayorkas, may provide clues about how DHS could approach cyber risk in the private sector. Mr. Maurer spent several years on cyber policy at the Carnegie Endowment for International Peace. Last year he and a colleague, Garret Hinke, published a study on cloud security, Cloud Security: A Primer for Policymakers (Primer). Its goal was to explain the evolution of cloud services, map issues and dependencies, and raise policy issues that the authors believe must be addressed. It addresses Infrastructure as a service (IaaS), Platform as a service (PaaS), and Software as a service (SaaS).
The paper is not gloom and doom. It notes “how important the cloud is for bolstering societal resilience” while asserting that “[c]alls for regulating CSPs have been growing” –hence the authors’ interest in shedding light on a “debate about cloud security” that “remains vague and the public policy implications poorly understood.” The Primer is descriptive, but also makes normative observations, and calls for additional policy scrutiny that, if pursued, may be of interest across the private sector.
The Primer Describes the Cloud Market and Security Policy Questions, with a Focus on Size, Concentration, and Shared Responsibility
The authors describe the development of the cloud market (public, private, and hybrid) and explore implications of past security issues for cloud. They posit that “cloud security thus far is a series of potential catastrophes narrowly averted” and suggest cause for concern in, among other things, the concentration of cloud services and associated security expertise.
The Primer says that “[t]he emerging public policy problem is the new forms of systemic risk that cloud services may create.” The authors repeatedly suggest that hyperscale cloud computing “has several important implications not just for cloud computing but for the design and functioning of the internet itself” – and for security policy.
One notable paragraph states:
The general trend toward market consolidation, …. is a key development that policymakers should note. The extent to which business functions of so much of the modern global economy now depend on the operations of a handful of firms is staggering. Like electricity in the early twentieth century, the cloud infrastructure is now becoming an important pillar of modern life. As policymakers turn to evaluate the cloud market, as in any industry consolidation, these developments may provoke antitrust concerns… Yet this consolidation also has important security implications….
The authors offer a balanced view of cloud security. “Clearest among the findings of the section dedicated to security is not a deficiency in the security of cloud services, but a positive one for the broader IT ecosystem: a migration to the cloud will help a majority of organizations address the existing problem of cyber insecurity.” Because cloud services “are inherently networked, concentrated, and shared” “conceptualizing security risks in the cloud more comprehensively remains an underdeveloped area of study.”
The Primer does suggest that for practitioners and policymakers to minimize risk, “there will likely be additional regulation” though the authors are “agnostic about particular regulatory solutions” that will balance “utility, flexibility, privacy, and security.”
The paper offers a hint of where such regulation might head. In the paper’s discussion of cloud “insecurity,” the authors note that “responsibility for risk in the cloud is inherently shared between customers and CSPs. The amount of responsibility and its delineation is dependent on what model of cloud services is being used, as is discussed later in this section. But, in general, there is no escaping that security is dependent on the efforts of two or more parties.” Observing that shared responsibility creates risks because of the potential for customer or user error, the authors appear to suggest a deeper scrutiny of this relationship.
“It is therefore in the self-interest of CSPs to provide assistance to their customers to minimize these risks. This is also an area where government agencies might study how to ensure that such assistance is provided and that in the unequal relationship between most customers and their giant CSPs, the burden (and potential blame if something does happen) does not shift incrementally or otherwise to the customers.”
This line of thinking may portend increased expectations of cloud providers, if the government wants to influence how CSPs work with customers or shift the allocation of responsibilities.
Ancillary Policy Concerns and Possible Regulation
The authors identify several areas for policymakers to consider, which they say are relevant but cannot be extensively addressed due to the Primer’s focus on security: “1) data governance, 2) the connection of technology industries and geopolitical influence, and 3) antitrust regulation.”
Each is subject to substantial policy debate and global uncertainty. These uncertainties include the possible passage of federal privacy legislation, resolution of global data access issues as in the Cloud Act of 2018, global trends toward data localization, and jockeying with geopolitical rivals for technical dominance.
The Primer also identifies recent antitrust debates and describes skepticism about large U.S. cloud providers’ operations. “In many cases, one potential concern is that, because so many businesses rely on cloud services, competitors of the leading CSP firms in other lines of business are their cloud customers, creating a conflict of interest.” The authors note calls to separate business units and offerings but take no position. They conclude their discussion of these issues by noting that “[p]ublic policy decisionmakers grappling with the implications of migrating to the cloud for security reasons must therefore also bear in mind these other dimensions [data governance, geopolitics, and antitrust] to make informed, comprehensive, risk-based decisions.”
The Primer calls for additional work in several areas, but suggest some views about possible government action:
Transparency about use of CSPs. “Whether or not governments should require greater transparency about companies’ use of CSPs is a question that requires further research. For example, a risk associated with such a transparency requirement is that it would increase security risk in a scenario where a CSP is intentionally targeted to get at a customer. However, a transparency requirement will likely also improve risk mitigation policies.”
Protecting undersea cables. “Undersea cables have become critical for ensuring access to data on an ongoing basis. Yet the undersea cable infrastructure that CSPs rely on and its vulnerabilities are a neglected international policy challenge.”
Government in the cloud. The primer calls for more dedicated research about how governments use commercial CSPs. It notes past GAO studies of cloud adoption by agencies, trends overseas, and questions about the U.S. Federal Risk and Authorization Management Plan (FedRAMP), which has been a candidate for revision but also is a model cited by the Cyberspace Solarium Commission for possible cloud certification programs.
Anyone reliant on cloud services or providing cloud services (public, private or hybrid) would be well-served to at least skim the paper for a sense of how at least one part of government may approach cloud services and risk assessments.
As DHS and other agencies review dependencies between and among government and the private sector, in CISA’s role as the nation’s risk advisor, cloud services of all sorts may be poised for additional scrutiny.