The Slow Degradation of Government IT Cloud Security Standards

Trust is one of history's most dangerous concepts, littered with example after example of trust gone awry. Current and future conflicts are going to be data-driven, accelerated by artificial intelligence, with systems and humans all interconnected. Vint Cerf said it best, "The wonderful thing about the Internet is that you're connected to everyone else. The terrible thing about the Internet is that you're connected to everyone else." As war relies more on information, we should expect our enemies to strike these systems in cyberspace and kinetically.

Often, breaches and hacks are entirely preventable. Some are the result of IT security malpractice, others the result of inexperience, while others are simply outmaneuvered by sophisticated foes. And even with the best of IT systems, it is not possible or even likely that all zero-day vulnerabilities are eliminated, which is why defense in depth remains essential.

Yet the worst category of breaches are ones where we know better but accept risk and lower our defenses anyway. No matter the cause, the result is always the same: devastating setbacks, exposures, and loss of critical information. One way or another, in a data-driven, interconnected, AI-accelerated battlespace, more breaches are coming because there are more targets. The only question is are we going to prepare for them now or rationalize them later?

Theoretically, Cloud Service Provider (CSP) offerings are more secure than older, on-premises offerings because security is managed at scale and by professionals. But CSPs are also centralized, homogeneous targets with architectures well known by our adversaries. And it turns out that as some CSPs comingle multiple customers in the same infrastructure, that proximity is a cloud's largest vulnerability, which is why next-generation clouds architect physical separation of services throughout the technology stack. Governments look to CSPs because they need to capture the advanced services and scale economics of modern cloud, but they should also require tried and true concepts of sovereignty and physical isolation to lower risk and enhance security. "Trust everyone, but cut the cards yourself," applies to IT security as well.

If the US and allied governments were granted one "superpower," it would be to foresee the inevitable future and put security first. Over solve, over prepare. That's exactly where the USG, FVEY, NATO, and others were all headed with security frameworks built around zero trust. Embrace the advantages of the cloud but do so in a manner that emphasizes sovereignty, isolation, and extra layers of physical defense. Trust no one includes CSPs.

That is, until the modern-day CSP snake oil salesmen showed up. Trust "us," they say. "You can start with public cloud to store sensitive, 'restricted' data." "Encryption, key management, confidential computing," they say quickly. It is true, encryption works, unless you want to actually use the data.

"Banks use the public cloud, you should too," they say. "Don't worry about unsavory neighbors." You can hide in plain sight, hide in the "noise." But poor security in good company is not a strategy, it's a recipe for disaster. And it's not like nation-state attackers aren't paying attention:

Behind this "public cloud is good enough" push is CSP economics, not security. Public cloud deployments scale economically, where isolated cloud does not. Translation: CSPs make more money if government data-of all types-is put in the public cloud. While today CSPs hold unclassified data in public clouds, there are some who seek to put restricted data in public clouds. Thankfully consensus remains that isolated, air-gapped cloud regions should be used for governments' most sensitive classified information. But that doesn't mean that "restricted" data is any less of a target or that its unauthorized disclosure would not put national security initiatives at risk.

But there's more. Even non-air-gapped offerings in cloud regions fully dedicated to government customers are far preferable to government data comingled in the cloud with commercial data. Data is far less likely to be compromised or exfiltrated because anomaly detection in public clouds can quickly identify government customers and their unique security configurations meaning they can't hide within public cloud customer "noise." If government customers were to lower their security standards to better blend in with public cloud norms to theoretically hide in "noise," so too can attackers. Fully dedicated regions also permit governments the flexibility to work with their CSP to deploy bespoke security detection rules that would otherwise raise concerns for shared public cloud tenants.

Existing government security requirements for US and allied forces are clear and delineated. Rather than meeting these requirements, some CSPs seek waivers from the requirements to use public cloud, which is obviously less secure than an isolated, air-gapped region and also less secure than cloud regions dedicated to government customers alone. Even worse, some CSPs seek to lower the security standards overall. Inch by inch, step by step. The problem is that perpetually granted waivers eventually end with the exception eating the rule.

This is not a theoretical risk-we are starting to see governments slowly caving to the economic interests of CSPs, chipping away at the proven security architecture of sovereignty and isolation in favor of public cloud.  What could go wrong?  Restricted government data sandwiched between McDonalds and PetroChina, between Toyota and Evergrande. Right, in different "tenancies." Government support calls routed to call centers in China. And the exact same cloud architectures offered by CSP joint ventures with Beijing 21Vianet Broadband Data Center Co, Ltd or Beijing Sinnet Technology Co., Ltd?

Take, for example, US Impact Level 5 (IL5) which is the standard for systems handling sensitive unclassified information, e.g., higher sensitivity controlled unclassified information (CUI), mission critical information, and unclassified national security system information. The standard is clear and requires "physical separation from non-DoD/nonfederal government tenants (i.e., public, local/state government tenants is required)," published June 2024. What could possibly have gotten better in the past three months to waive this requirement? CrowdStrike? Or take NATO's newly published "Appendix C," which now allows for storage of classified "NATO restricted" data-the rough equivalent of IL5 data-in the public cloud.

AI is changing everything and that's true for data breaches as well. The problem is that a massive breach of aggregated "restricted" data drawn into an AI training model can be far more devastating than a far smaller breach of "classified" information. Jack Teixeira's treason was limited by his access, not his intent. Yet, Office of Personnel Management and Equifax lost highly sensitive (but unclassified) data on tens of millions of people-a data trove useful for model training and targeting. SolarWinds gave secret access to government systems to nation-state actors. And while breaches are only accelerating, so are ransomware incidents like Colonial Pipeline. CrowdStrike's flawed update froze thousands of Microsoft systems and disproportionately impacted critical sectors. UK National Health Service and Change Healthcare were victims of ransomware that halted medical services. None of this data was classified.

Why are public clouds ok for sensitive commercial data if they are not sufficient for government data? Well, for starters, commercial enterprises are not nation-states and have entirely different sets of incentives and risk tolerances. But we are also seeing an accelerating trend with commercial enterprises-in areas such as critical infrastructure, banking, telecommunications and health care-seeking to reduce risk by moving their most sensitive data to dedicated regions and more secure sovereign cloud architectures. So why would government security policy be headed in the opposite direction? Could it be that government data is less secure than Vodafone's? 

The solution for government IT security is not to surrender before we even get started. Attackers will target where the data lives, and to put critical data in less secure environments and architectures well known by our adversaries is begging for a breach. There is a proven model and a security framework in place that starts with isolation and sovereignty, not trust. Government data should be air-gapped from the public Internet, not interconnected. There will always be human and technical vulnerabilities, and we need to make it harder for internal or external actors to exfiltrate stolen information. Encryption is a feature of security, not a foundation.

CSPs peddling public cloud solutions for government data of any kind or classification level is like leaving the hen to guard the fox house. It's a bad idea. And it's an idea that will be unexplainable in hindsight. Because it is clearly a catastrophic breach in the making.

Waivers for public cloud may have made sense when there was no more secure alternative. But that is no longer true, so we need to stop letting waivers eat the rule. And the US should strongly oppose NATO Appendix C because that's US restricted data as well.

Lots of people got rich off snake oil, but no one ever got cured. The advice we would give our younger self would be to trust no one, CSPs peddling public cloud for any government data included.

Public link

Please use the above public link if you want to share this noodl on another website.