The Pentagon has given up, at least for now, its attempt to ram through a massive procurement for cloud-based computer services – a procurement it had rigged in the opinion of many in the industry to go to Jim Bezos’ Amazon which already has a contract with the CIA.
However, there are conflicting stories so no one can yet be sure the proposed deal is fully in the waste bin.
It should be trashed for operational reasons.
The Pentagon’s proposed single award contract included no backup system should the cloud go down. This means one of two things: either the Pentagon thinks it does not need a backup or, more likely it will continue to operate its disparate computer networks as the actual backup.
In the first instance, if there is no backup you are looking at a recipe for disaster.
In the second instance, using the old system which has repeatedly been subject to successful cyber attacks including cyber thefts and denial of service, the existing vulnerabilities of the backup will simply transit to the new cloud and expose it to multiple threats.
Most commercial businesses that use cloud computing have multiple providers that both help segment the risk by appropriating it among different suppliers and assuring prompt recovery in case of failure.
For a variety of reasons, but mostly because the Pentagon does not know how to put in place security around multiple cloud environments, the Pentagon did not follow this common sense approach.
In fact, outsourcing highly sensitive information is the Achilles heel not only of the Pentagon but of the entire security establishment. Consider NSA. NSA has outsourced all sorts of work to contractors and has paid the price as spies have found it much easier to go after contractors than try and penetrate NSA itself.
Edward Snowden, for example –the former CIA employee– was hired by Dell, and later by Booz Allen Hamilton, which was contracted by the NSA, giving Snowden unprecedented access to super-sensitive spying operations which he systematically leaked and –though not proven– may have shared with foreign governments, especially Russia (where he now has temporary asylum).
Outsourcing is a risky business, and it is especially risky where the private company has limited or no experience in operations in a secure environment.
But simply avoiding costs and responsibilities by going to a single source cloud solution introduces an even more significant risk: namely creating a single target for an adversary.
If in a crisis the adversary can disable the cloud network source, Pentagon operations would suffer a severe hit. While cloud systems are built to be redundant and often integrate the latest security protections, most of the cloud hardware and software is commercial, meaning it is relatively easy for an adversary to understand its flaws and vulnerabilities. More broadly, the entire US critical infrastructure suffers from the same disease, whether or not it is using cloud computing. But, by creating a single target the Pentagon jacks up the risk for a successful attack on its operations.
During the pause, which may or may not be indefinite, the Pentagon needs to figure out:
- how it can distribute its vital classified and operational information to multiple platforms to reduce the risk of a denial of service, disruption of military operations and theft of command and control and data;
- how it can support security measures and put in place the mechanisms to protect security if outsourced to a cloud service;
- figure out the costs of supporting security measures
- figure out how qualified personnel can be hired for both the operational and supervisory tasks and how they can receive necessary security clearances
- decide how currently employed and cleared military and civilian cyber personnel can be retained if cloud operators offer them better deals
- invest in R&D to get away from commercial high-risk computing and networking platforms
- develop cloud monitoring systems that can be operated by military commands and that can watch cloud network activity and report disruptions, breaches, and intrusions (such systems right now either don’t exist or are entirely in the hands of the cloud operators)
- put in place disclosure requirements on contractors in order to make sure negative information is reported in a timely manner
- evaluate whether the Pentagon should think of alternatives to just a “rent a cloud” approach –for example, joint operation, shared ownership, and locating cloud systems in secure places such as military bases or trusted research organizations
- consider how to avoid being vendor trapped if cloud performance is unsatisfactory.
It remains to be seen if the Defense Department has the guts and courage to do the job the right way.
*This commentary was posted on Bryen’s blog, on June 1, 2018