America needs to treat the cloud as critical infrastructure

When it comes to cybersecurity and communist China, Microsoft needs to act together, and so should the US government.

When a company boasts to its customers about the security its products provide, but an independent panel of experts tells it that its culture is actually deprioritizing cybersecurity, it's time for some self-reflection. may be coming. The federal government also needs to reflect, as its companies play a dominant role in providing essential technology services to the U.S. government, critical infrastructure, tens of thousands of businesses, and tens of millions of Americans.

This month, the Cyber ​​Security Review Board (CSRB) issued a ruling on Microsoft after it was discovered last summer that Chinese hackers had used compromised Microsoft systems to access email accounts of senior U.S. officials. released a damning report on cybersecurity flaws. The report doesn't mince words. The cyber attack was “preventable”, “should never have happened” and was the result of “a series of security failures at Microsoft”.

The CSRB is modeled after the National Transportation Safety Board and is a new, albeit narrower, effort to investigate serious cybersecurity incidents. We provide recommendations to improve the nation's cyber resilience based on our findings. Housed within the Department of Homeland Security, the CSRB is comprised of government officials and private sector experts. Assessing how national hackers compromise America's largest companies is one of the key reasons the Biden administration established the review board.

It's no surprise that Microsoft has become a target of nation-state attacks. Increased efficiency and reduced costs have led to increased reliance on geographically dispersed data centers, or “the cloud.” Microsoft dominates the cloud services market, serving federal and state governments, American businesses, and much of America's critical national infrastructure. As the CSRB states, “Microsoft's ubiquitous and critical products underpin critical services that support national security, the foundation of our economy, and public health and safety.”

The report vividly explains that hacking Microsoft's cloud environment is the espionage equivalent of mining gold, and that both nation states and criminals are the “49ers” of this 21st century gold rush. There is.

What is shocking, disturbing, and unacceptable is that, as the report makes abundantly clear, Microsoft has grossly failed in both its security architecture and its implementation of basic security procedures. Because America's national security, economic prosperity, and public health and safety depend on cloud service providers, these companies should be required to “demonstrate the highest standards of security, accountability, and transparency.” . However, the CSRB concluded that Microsoft does not maintain security controls, even though other cloud service providers do.

This failure was compounded by Microsoft's aggressive approach to reducing competition for its services by ensuring that customers purchased little or no security services outside of its own product suite. While this “monoculture” approach serves Microsoft's bottom line, it does not ensure that customers (even important ones like the Department of Defense) are running the most effective security programs possible. It's not something you do.

Microsoft's drastic approach is an intolerable national security risk for the United States.

There is a solution to this challenge. So far, the Biden administration, like its predecessor, has made cloud service providers one of the “most important critical infrastructure industries,” as the report notes. I couldn't treat it like that.

The administration is beginning a review of a decade-old policy document that outlined which industries are considered critical infrastructure and how the federal government will interact with those sectors. The resulting update should clearly and unambiguously state that the cloud service is standalone critical infrastructure. Recognizing the cloud computing industry as critical infrastructure ensures that federal agencies are assigned as sector risk management agencies to work to reduce threats and establish national cybersecurity standards.

While designating the cloud as critical infrastructure and creating national cybersecurity standards for providers are the most important steps to take from the CSRB report, there's still another Microsoft-sized elephant in the room. Exists.

The report does not mention Microsoft's ongoing research, development and engineering operations in the People's Republic of China. As other tech companies retreat from China, Microsoft is expanding its cooperation with the Chinese government. Despite the evidence, the company has assured the public that it is a good corporate citizen and is not complicit in Chinese censorship. And Microsoft has dismissed concerns that this continued business relationship poses a risk to U.S. national security. But after reading the CSRB report, no one can reasonably trust Microsoft's ability to assess its own security risks.

President Biden and President Xi had a “candid and constructive” telephone conversation earlier this month, with President Biden telling his Chinese counterpart that the United States “is committed to preventing advanced American technology from being used to undermine national security.” We will take the necessary actions to ensure that the situation is safe.”

It may also be time for President Biden to have such a conversation with Microsoft's leadership.

Maj. Gen. Mark Montgomery (ret.) is a senior fellow and senior director of the Center for Cyber ​​and Technology Innovation at the Foundation for Defense of Democracies. He served as Executive Director of the Congressional Cyberspace Solarium Commission.