Aftermath of WikiLeaks flap underscores vulnerabilities of the cloud

Denial-of-service attacks in the aftermath of the WikiLeaks incident show the vulnerabilities agencies face as they shift to cloud computing, say several cybersecurity specialists.

The online infrastructures underpinning WikiLeaks and the cloud -- where the White House wants to move government information technology systems -- depend on third-parties to stay up and running. This month, Amazon, a cloud provider, kicked the WikiLeaks website off its servers and online payment service PayPal stopped processing funds for the site, after determining the organization's release of troves of classified documents violated acceptable use policies.

While cloud service providers are unlikely to turn off federal users' IT systems, other reliability threats lurk in the cloud that firms formerly associated with WikiLeaks now know all too well. WikiLeaks sympathizers are believed to have unleashed denial-of-service attacks, where hackers inundate a site with useless traffic, to freeze the websites of MasterCard and Visa after the pair reportedly cut off payments to WikiLeaks. According to cybersecurity specialists, such attacks also can take down the U.S. government's cloud assets, which are shared, Web-based IT that organizations access on demand, rather than on premises.

At least one overseas government already has experienced a denial-of-service attack in the fallout after WikiLeaks released hoards of State Department cables that revealed confidential and awkward details about foreign partners.

Officials with the Swedish Prosecution Authority, which has charged WikiLeaks operator Julian Assange with engaging in sex crimes, said, "Due to an unusual amount of visitors [the authority's] site became overloaded and eventually was closed down" on Dec. 7, adding, "the Internet supplier of the prosecution authority has confirmed that it was a deliberate attack."

When the U.S. government enters into agreements with Web IT providers, "I think we would want to have some assurances that the cloud service would not be prone to denial-of-service attacks," said John Gilligan, a former Air Force chief information officer and member of the Obama-Biden transition team who helped write the administration's IT policies for the defense and intelligence communities. "You've got to demonstrate that you can deal with these types of attacks" as a government cloud contractor.

Gilligan, who was chief information officer at the Energy Department from 1998 to 2000, said when Energy experienced a cyber onslaught, officials shifted publicly accessible Web services to an online environment that offered more capacity and security.

Some recently issued cloud solicitations did not stipulate that contractors be able to protect federal assets from denial-of-service attacks, said Edward Amoroso, senior vice president and chief security officer at AT&T, which recently received a slot on a governmentwide $76 million contract to host agency IT infrastructures online.

"We think that, if anything, the requirements for a carrier to redirect denial-of-service attacks away from the cloud infrastructure is a little under-attended to" in the government work requirements AT&T has seen, he said.

Agencies, however, have done a good job at guarding their physical, in-house IT against denial-of-service attacks -- perhaps even those executed by WikiLeaks "hacktivists," said James A. Lewis, a senior fellow at the Center for Strategic and International Studies who researches information security.

"Denial-of-service is the most basic kind of attack, but it looks like one we can beat off. It probably happens every week if not every day" to the U.S. government, he said. "They took down the Swedish prosecutor. You figure if they're going after one government they're probably going after others."