The National Security Agency (NSA) is moving all of the data it collects, analyzes and stores to a cloud computing “environment” it calls Intelligence Community GovCloud. All of the information that NSA possesses will be accessible remotely in this “big data fusion environment”.
This is quite possibly the worst idea I have ever heard.
Except for this one.
The Defense Department has now begun accepting proposals for its highly-anticipated Joint Enterprise Defense Infrastructure (JEDI) cloud contract. The JEDI contract will be awarded to a single company. That company will then be in charge of holding, safeguarding and providing access to all of the mission critical and classified information possessed by the Pentagon.
Maybe before we go any further we ought to clarify what exactly is meant by cloud computing. It sounds very sexy and high tech. It’s not. Basically, what it means is that your data, all of it, is sitting on someone else’s server. Instead of NSA, for example, putting its data on classified servers in a vault under its physical control and underneath its massive headquarters complex in Maryland, it will now turn all of that data over to a private company, which will store it and be responsible for keeping it secure.
The mind boggles.
Every day we are barraged with stories of cyber-attacks on US companies and the US government. The Russians alone have in recent memory:
- Gained remote access to energy sector networks in North America and Europe, observed communications and accessed the control systems.
- Targeted key national infrastructure facilities including water grids and nuclear power plants.
- Attempted to map the entire US telecom infrastructure with the goal of developing a cyber weapon to disrupt our communications.
- Hacked the computers of the Democratic National Committee.
- Accessed voter registration rolls in at least seven states.
- Hacked the email of US persons working in the defense and aerospace industries. These people were involved in work on missiles, drones, rockets, fighter jets, cloud-computing platforms and other sensitive activities
- Attacked the computers of the US Senate.
This is just a sample of what the Russians have done within the last two years. Every day computer systems, private and governmental, are being attacked by criminal elements and by agents of multiple other foreign powers like China and Iran. The US government’s record in withstanding these attacks and maintaining the security of sensitive data is abysmal.
A recent report on cyber security by the White House’s Office of Management and Budget found that of 96 federal agencies assessed, 74 were deemed either “at risk” or “high risk” meaning that they need crucial and immediate improvements. Half of the agencies reviewed lacked the ability to determine what software they were running on their systems. Only one agency in four had the capacity to even detect a breach of its computer systems. In 38% of cases where government systems were hacked, no one was ever able to even identify who had perpetrated the attack or how.
One would like to hope that while the average government agency is woefully unprepared our intelligence and defense establishments would be on top of their game. Unfortunately, the record demonstrates otherwise. In 2013 Edward Snowden, a contractor working for NSA, stole a staggering 1.7 million classified documents. None of those documents has ever been recovered. They are all considered compromised.
In 2014 a British man hacked into the Pentagon’s satellite phone system and stole information on 800 individuals and tens of thousands of satellite phones.
In 2015 the email system for the Joint Chiefs of Staff was hacked.
In 2016 a group calling itself the Shadow Brokers, according to press reports, hacked into computers associated with NSA and stole some of the world’s most sophisticated cyber-attack software. That software has been used on multiple occasions since for attacks worldwide.
In 2017 a Pentagon database containing almost 2 billion documents was found to have no security whatsoever and be readily accessible via the internet.
In fact, a recent internal audit of the NSA found shocking cyber vulnerabilities. Those vulnerabilities included computer system security plans that were inaccurate or incomplete, removable media that not being properly scanned for viruses, and an inadequate process for tracking the job duties of National Security Agency cyber defenders to ensure they’re qualified for the work they do. The agency was also found not to have properly implemented the “two-person access controls” on its data centers and equipment rooms mandated by the Director of NSA after the Snowden breach.
All of the incidents highlighted above are examples only. US government computer systems are under cyber-attack every day and compromises are frequent. All projections are that the pace of attacks will only intensify and that their sophistication will only increase. Now, defying all logic and all common sense, in the face of this onslaught we are in the process of handing information that represents literally the “crown jewels” of American intelligence and the American military over to private companies and trusting that they will maintain its security and prevent catastrophe.
A rational response to recent events and the actions of our adversaries would be to double down on serious accountability and strict security practices. Sensitive data should reside on government-controlled servers under the control of government personnel operating in accordance with strict, no nonsense rule and regulations. Individuals playing fast and loose with the security of classified information should have their access to such data revoked immediately. Individuals not enforcing procedure should be shown the door. This is not a game. It should not be treated as such.
That is what should happen. It is not what will happen. In the world of Washington, DC where accountability is elusive, and priority is placed on awarding big contracts and making big defense corporations even bigger “cloud computing” is the new cash cow. The companies in question will make vast sums of money, the JEDI contract alone is worth $10 billion, but we will pay the real price in damage to our national security.