America needs to treat ‘the cloud’ as critical infrastructure
When it comes to cybersecurity and Communist China, Microsoft needs to get its act together — and so does the American government.
When an independent board of experts tells a company — which boasts to its customers about the security its products offers — that its corporate culture in fact deprioritizes cybersecurity, it might be time for some self-reflection. When that company plays a dominant role providing essential technology services to the U.S. government, critical infrastructure, tens of thousands of companies and tens of millions of Americans, the federal government also needs to self-reflect.
This month, the Cyber Safety Review Board (CSRB) released a damning report on Microsoft’s cybersecurity failings, following revelations last summer that China’s hackers leveraged compromised Microsoft systems to access the email accounts of senior American officials. The report does not mince words: This cyberattack was “preventable,” and “should never have happened,” and was the result of a “cascade of security failures at Microsoft.”
Modeled on the National Transportation Safety Board, although with a narrower scope, the CSRB is a new initiative to investigate significant cybersecurity incidents. It provides recommendations to improve national cyber resilience based on its findings. Housed within the Department of Homeland Security, the CSRB is made up of government officials and experts from the private sector. Assessing how nation-state hackers can compromise America’s largest companies is one of the main reasons the Biden administration created the review board.
That Microsoft is a target of nation-state attacks is no surprise. Greater efficiencies and reduced costs have led to heavier reliance on geographically distributed data centers — that is, “the cloud.” Microsoft dominates the cloud service market, providing services to federal and state governments, corporate America and much of America’s critical national infrastructure. As the CSRB observed, “Microsoft’s ubiquitous and critical products ... underpin essential services that support national security, the foundations of our economy, and public health and safety.”
Hacking Microsoft’s cloud environment is the espionage equivalent of striking gold, the report vividly explained, and both nations and criminals are the “Forty-Niners” of this 21st-century gold rush.
What is shocking, disturbing and unacceptable is that Microsoft is significantly failing in both its security architecture and implementation of basic security procedures, as the report makes amply clear. The dependence of U.S. national security, economic prosperity and public health and safety on cloud service providers should require these companies to “demonstrate the highest standards of security, accountability, and transparency.” But the CSRB concluded that even as other cloud service providers were maintaining security controls, Microsoft was not.
This failure was exacerbated by Microsoft’s aggressive approach to reducing competition for its services by ensuring customers buy few or no other security services outside its product suite. This “monoculture” approach helps Microsoft’s bottom line but does not ensure its customers — even critical ones like the Department of Defense — are running the most effective security programs possible.
Microsoft’s cut-throat approach is a national security risk the United States cannot abide.
There is a solution to this challenge. Cloud service providers are, as the report notes, one of the “most important critical infrastructure industries” — yet, until now, the Biden administration, like its predecessors, has failed to treat them as such.
The administration is undertaking a review of the decade-old policy document that outlines which industries are considered critical infrastructure and how the federal government interacts with those sectors. The resulting update should state clearly and unambiguously that cloud services are a stand-alone critical infrastructure. Recognizing the cloud computing industry as critical infrastructure will ensure that a federal agency is assigned as the sector risk management agency to work to mitigate threats and establish cybersecurity standards nationally.
While designating the cloud as critical infrastructure and creating national cybersecurity standards for providers would be the most important step to come out of the CSRB’s report, there is still another Microsoft-sized elephant in the room.
The report leaves unaddressed Microsoft’s continued research and development and engineering work in the People’s Republic of China. While other tech companies have pulled out of the country, Microsoft has expanded collaboration with Beijing. The company has assured the public that it is a good corporate citizen and not complicit in China’s censorship, despite evidence that it is. And Microsoft dismisses concerns that this ongoing business relationship poses risks to U.S. national security. But after reading the CSRB report, no one can reasonably trust Microsoft’s ability to assess its own security risks.
Presidents Biden and Xi had a “candid and constructive” phone call earlier this month in which Biden warned his Chinese counterpart that the United States will “take necessary actions to prevent advanced U.S. technologies from being used to undermine our national security.”
It might be time for President Biden to have that conversation with Microsoft’s leadership as well.
Rear Adm. (Ret.) Mark Montgomery is a senior fellow and senior director of the Center for Cyber and Technology Innovation at the Foundation for Defense of Democracies. He served as executive director of the congressionally mandated Cyberspace Solarium Commission.
Date: |
Filter
-
Stabilizing crime victims' funding is a win America’s kids desperately need
The act calls attention to the threat facing victims of violent crimes and asks for support to save the fund that offers those victims justice and healing.The Hill - Politics -
Anger over Gaza clouds Labour’s local election wins
Party stacks up gains but support appears to drain away in areas with large proportions of Muslim votersFinancial Times - Business
More from The Hill
-
Tim Scott says Trump did not raise VP possibility, expects decision within 60 days
Sen. Tim Scott (R-S.C.) said in a Sunday interview that former President Trump did not raise the possibility of being his running mate at a gathering this past weekend. Scott added, however, that he expects a decision on Trump’s vice-presidential ...The Hill - Politics - Donald Trump -
1996 ad perfectly predicted today's high cost-of-living. What it means for the next 30 years — and how to plan
"They say in thirty years a burger & fries could cost $16, a vacation $12,500, and a basic car $65,000."The Hill - Politics -
Landrieu on Sanders' warning to Biden over college protests: 'Comparing it to Vietnam is an over exaggeration'
Mitch Landrieu, the national co-chair of President Biden's campaign, said Sunday that Sen. Bernie Sanders's (I-Vt.) comparison of college protests to the Vietnam war was an "over exaggeration." Landrieu was asked by CNN's Jake Tapper on "State of ...The Hill - Politics - Joe Biden -
Could a national security deadline stop the US from sending bombs to Israel?
This week's deadline has particular significance because it will apply to Israel and require a formal U.S. assessment of how it is conducting its now six-month war in Gaza.The Hill - Politics - Israel -
Hope Hicks divulges being at center of Trump’s 2016 damage control
NEW YORK — “This was a crisis.” That was the consensus among senior Trump campaign aides on Oct. 7, 2016, after stepping out of a Trump Tower conference room, where the then-presidential candidate’s debate prep session was underway. There was to ...The Hill - Politics - Donald Trump