A controversial executive order that would require U.S. cloud companies to more closely monitor the identities of their customers will move one step closer to the finish line next week amid opposition from the industry.
The White House’s proposed executive order is meant to address an increasingly serious and visible cybersecurity problem in which Chinese and Russian hackers rent U.S. cloud infrastructure space to carry out cyberattacks or scan for vulnerabilities, allowing them to hide in plain sight by acquiring a domestic IP address.
The threat is exacerbated by the fact that the National Security Agency is barred from monitoring American networks.
Cloud companies have vehemently opposed the proposed rule, pointing to the vast logistical and financial costs it would impose and arguing that sophisticated actors will be able to easily dupe cloud companies with fake identities, thereby rendering the effort meaningless. An industry comment period closes on Monday.
“The proposed identity verification requirements for IaaS [infrastructure as a service] providers and foreign resellers are overly burdensome, not sufficiently targeted, and risk advantaging foreign competitors,” the technology industry association NetChoice said in comments filed last week.
NetChoice, which represents two of the three largest cloud providers — Amazon and Google — also took the opportunity to knock their biggest competitor, Microsoft, saying the proposed rule would make the U.S. government even more dependent on the Seattle-based company than it already is.
“The government’s dependence on Microsoft products raises serious concerns, as evidenced by the company’s recent major security breaches,” the NetChoice comment said. “Diversifying technology providers and using the government’s leverage to drive security improvements at Microsoft are essential.”
Supporters of the executive order say the change is vital and argue that the cloud companies need to be reined in, pointing to a report from the American Security Project last year which documented how Microsoft, Amazon and other cloud companies sell their products to the Chinese government and its military.
National security experts said the ubiquity of cloud-based services makes the executive order a no brainer.
“From a national security perspective, cloud-based services and utilities are literally the keys to the Kingdom these days,” said Paul Rosenzweig, a former Department of Homeland Security official who has since founded Red Branch Consulting, which focuses on national security issues. “We have so far migrated away from server based systems, isolated systems, that it’s not even a debatable trend and it’s only going to accelerate.”
Last month the Cyber Safety Review Board slammed Microsoft’s security practices relating to a 2023 cloud-enabled intrusion which led to Chinese hackers infiltrating the emails of Commerce Secretary Gina Raimondo and U.S. Ambassador to China Nicholas Burns. The report included a series of recommendations for improving cloud security.
Rosenzweig said the Microsoft incident along with several others over the past 18 months have led him to conclude that adversaries like China and Russia take advantage of the U.S. in part through the cloud.
“It all comes down to vulnerabilities and we’ve just got to do something better,” he said.
Delete hosted cloud. Move back to hosting your own. When every cloud is different (since it’s built and configured by some random IT and DevOps people for that company) it becomes much harder to find an exploit than it is in the big 3 cloud providers. Security by obscurity.
Cloud services targeting governments are just a giant scam (e.g. FedRamp). They are just as vulnerable as everything else, the only difference is some slick salesperson was able to land a contract by talking about how much money it would save by not having to hire “expensive engineers” directly. This is exactly where it leads, and it’s not a surprise, it’s a known known in big tech.
Aside from the fact the industry has been doing whatever they like for the past forever, I don’t see any reason they can’t do this. The entire banking industry does. Your provider will sign up for one of the many already existing ID verification services out there and call it a day. Hell it might even make a tiny dent in spam and cyber crime.