Cloud Security INSIGHTS Newsletter
Our bi-monthly e-newsletter Cloud Security INSIGHTS, delivers timely, must-read original articles for the professional development of infosecurity practitioners focused on cloud security.
Cloud Security INSIGHTS March Issue Sponsor
Find Out How Compliance and Risk Management Professionals are Leveling Up in 2023
Hyperproof's yearly IT Compliance and Risk Benchmark Report is available now. Read it to find out more about what 1,010 IT compliance and risk professionals said about their top challenges and plans for addressing them in 2023. Download Now
March Cloud Security INSIGHTS
Cyberwar: Is the Cloud the Target, the Battlefield, or Both?
The US wants big tech to help defend cyberspace from nation state actors and cybercriminals. Does that mean the cloud is now the frontline? Joe Fay investigates.
It’s a looking glass world. Individuals and organizations benefit massively from the cloud. It offers scale, reach and efficiency. It allows organizations to consolidate data, enabling advanced analytics and the training of algorithms that are transforming the way everything works. Combined with open-source software, it enables more agile workflows, leading to the reuse of code and rapid release of new products.
But those who would wish us harm also benefit from the cloud. The cloud offers extended reach, bringing attackers closer to consolidated mountains of personal info or valuable IP. They get to benefit from cost-effective, accelerated processing too! Not to mention the ability to finesse their own malware, and now with the dawn of Chat-GPT, more plausible phishing lures. The nature of open source means they are just as free as anyone else to unpick code and even make their own “contributions”, in the shape of tailor-made vulnerabilities. The cloud offers them a truly global attack surface, if not managed and secured effectively.
The U.K.’s Strategic View of the Cloud
The U.K.’s National Cyber Security Strategy certainly highlights the increased danger of the cloud, with countries’ increased reliance on “interconnected digital systems, providing more opportunities for malicious activity and significant ‘real-world’ impact.” Increased convergence of critical and non-critical technologies means “these risks are spreading to new areas of our economy, and the movement of data and services into the cloud – and often out of the U.K. – is further increasing our exposure.”
The strategy states, “Operators of essential services and providers of key digital services (such as cloud services) have particular responsibilities to address the cyber risks they face and meet the obligations set out in the Network & Information Systems Regulations (‘NIS regulations’).”
It continues, “The increasing dependency of businesses, government and wider society on cloud and online services is creating new and unique vulnerabilities and interdependencies.” Which means the major technology providers have a “particular responsibility” to prioritize and increase their own cyber resilience.
The Word from the White House
The recently released White House National Cybersecurity Strategy was even more explicit about the role of cloud providers in relation to U.S. and global security, noting that critical infrastructure “and other critical sectors rely upon the cybersecurity and resilience of their third-party service providers”. It states that “cloud-based services…are also essential to operational resilience across many critical infrastructure sectors.”
But the strategy also spelled out the White House’s chagrin that “malicious cyber actors exploit U.S.-based cloud infrastructure, domain registrars, hosting and email provider, and other digital services…” often through harder to police “foreign resellers”.
The Frontline Runs Through the Cloud
At the same time, the White House strategy demands that cloud service providers, along with other tech vendors, become part of the solution to cyberattacks. It pledged that the government will “deepen operational and strategic collaboration with software, hardware and managed service providers with the capability to reshape the cyber landscape in favor of greater security and resilience.”
Elsewhere, it says its investments in cybersecurity will “assure continued U.S. leadership in technology and innovation” adding that “decades of adversaries and malicious actors weaponizing our technology and innovation against us” showed that innovation was not enough without security.
This will also play out internationally, with the U.S. looking to partner with “foreign and private sector partners” to face down autocratic rivals and preserve openness. This clearly marks out standards and regulatory bodies as part of the ongoing battlefield.
So, the White House and U.K.’s strategies highlight the specific threats the cloud presents. Both envision tighter cooperation between the private sector, including cloud providers, with the White House expecting this on both on an ongoing basis, and with ad hoc teams responding to – and disrupting – specific threats.
This all arguably redefines the role of cloud providers, making it harder for them and big tech in general to present themselves as neutral players – if they ever were. Rather, they will be required to take an explicit frontline role in Washington D.C., London and presumably Brussels, with defensive AND offensive operations against cyber attackers, particularly nation state and terror actors.
But does this also mean cloud providers are no longer just a convenient platform for nation states and cyber terror gangs to launch their attacks? Does it make them much more of a target in and of themselves for nation state actors and terror groups who want to cripple national cyber defenses, forestall retaliatory action, or simply create more chaos?
Former British intelligence officer Philip Ingram said this needs to be considered from “a holistic perspective”. Criminal or nation state actors are not going to be sitting there thinking “today we attack the cloud, tomorrow we attack endpoints.” Rather, he stated, “They look for whatever they can find as the weakest element of the system, and then they'll attack the weakest element of the system.”
Attackers might be able to access a given end-user organization’s “cloud” infrastructure or applications, he said. But compromising cloud providers’ own networks and systems will be quite a different proposition, he suggested.
“As soon as a cloud provider has to admit that they have lost a client's data because of an attack against it, that cloud provider will lose its business,” he said. “So, they will do everything they can to deflect and make sure that they're protected against it.”
Overtaken By World Events?
In the meantime, “the cloud” continues to operate against a backdrop of cyber war, further fueled by the physical war in Ukraine, Ingram said. “The Russians are prolific; the Ukrainians are prolific back to the Russians. Elements are bleeding out, they’re attacking the U.K., they’re attacking the U.S., they’re attacking countries around the world.”
Meanwhile, Ingram added, other countries from Iran and North Korea to China are looking to exploit the situation. The motivations might be different – out and out cyberwar for Russia, intellectual property (IP) theft and commercial advantage for China – but the effect is the same.
Does this mean “the cloud” has become more dangerous? “There's no one easy answer to give as to whether someone is targeting the cloud,” said Ingram. “Because every attack has got an element of targeting the cloud.”