Policymakers must confront cloud insecurity, new report warns

Policymakers must do more to confront the increasing vulnerability critical infrastructure sectors face due to their growing reliance on cloud computing, a new Atlantic Council report urges.

The report underscores that the cloud has already allowed “malicious actors” to spy on government agencies, pointing to the 2020 Sunburst hack in which cloud products, specifically Microsoft Azure’s Identity and Access Management services, were compromised.

The authors propose key reforms to shore up defenses, including the establishment of a cloud management office that would proactively survey cloud reliance. Such reforms would better position existing sector risk management agencies to work with CISA to measure and respond to risk.

The report also recommends that Congress create a task force modeled after the groundbreaking Cyberspace Solarium Commission with a remit to design a security agency to specifically protect cloud infrastructure.

“Government policy is still set up to assess the security of a cloud product, not the underlying infrastructure,” Maia Hamin, report co-author and associate director of the Atlantic Council’s Cyber Statecraft Initiative, said via email. “This is a concern as more and more traditional infrastructure — things like energy and healthcare — relies on cloud computing.”

The report argues that the ubiquitousness of the cloud — propelled by its cost savings, scalability, and the ability to outsource infrastructure security — overshadows the fact that policy has fallen drastically behind “in reckoning with how essential cloud computing is to the functioning of the most critical systems and in the development of oversight structures commensurate with that new centrality.”

In addition to the Sunburst hack, the report points to the weakness of software systems, citing a 2019 Google cloud outage which “cascaded into an hours-long brownout for services like YouTube and Snapchat.”

It argues that cloud infrastructure is vital to national security, national economic security, and national public health and safety and must accordingly be treated with more seriousness by policymakers since there is real potential for a cloud compromise or outage to incapacitate critical infrastructure services.

Two features heightening the risk of cloud computing, when compared to previous on-premises systems, should inform how a national cloud risk management policy is constructed, the report argues. Because of how widespread cloud adoption has become, the report says, a vast array of organizations rely on a few shared “linchpin technology systems, including unglamorous subsystems within the cloud, where the failure of one node could precipitate a cascading collapse.”

Separately, because control and visibility into organizations’ cloud infrastructure is inherently delegated, those organizations lose visibility into the operations and “failure modes” of their cloud systems, the report argues.

“It is time to address the fact that the cloud may have already become critical by the metrics policymakers use when considering whether a system needs oversight to ensure its resilience,” the report concludes. “As more entities adopt the cloud, and as more of the core infrastructure of systems like the Internet come to rely on it, this dependence and the systemic nature of its attendant risks will only compound.”