Official: Executive Order to Address Cloud Security Through Procurement


Lawmakers question why basic security features are not already the default.

The White House plans to double down on commercial cloud technology through an upcoming executive order in response to the massive hacking campaign that leveraged cloud services to gain broad access into the networks of several federal agencies.

In the so-called SolarWinds hack, perpetrators used a trojanized update of the network management company’s software as well as common techniques like password spraying to gain initial access into nine federal agencies and about a hundred companies. But they also exploited a weakness in Microsoft’s Active Directory Federation Service to jump to organizations’ cloud-hosted Office 365 accounts and move laterally to other parts of organizations’ systems. 

This spurred a question during a briefing with a senior administration official Friday about whether the government was thinking of moving federal agencies off of commercial cloud services and on to new systems built from scratch.

“The federal government, as you know so well, is very large,” the official responded. “And what we want to do is move to best-of-breed commercial technology and take advantage of the innovation of our private sector. I think we don't even need to build something new from the ground up when we think that there is much stronger, innovative technology available that we can move to -- including cloud, including security implemented in the cloud, zero[trust]-based principles, and other related areas.”

The official said the executive order will include ideas about how to establish a public rating system for software and standards for connected devices, in addition to efforts to modernize agencies’ information technology. 

“We're on a tight timeline to move there,” the official said, continuing to address the question of attackers targeting cloud services. “Beginning with the compromised agencies, as well as addressing, in the upcoming executive action, some of the foundational areas that we think will help the federal government use procurement to be a leader in this space, and, really, in meeting in this space, address both private-sector and government challenges in finding, buying, and using innovative, usable, and secure software and hardware and systems.”

The idea of cloud providers profiting, particularly through emergency funding included in the recent American Rescue Act, from basic cloud security features that would have helped mitigate the recent hacking campaign rubs some lawmakers the wrong way.

During a recent hearing of the House Appropriations Committee’s panel on homeland security, chairwoman Lucille Roybal-Allard, D-Calif, pressed officials from the Cybersecurity and Infrastructure Security Agency on the lack of comprehensive logging to track activity in Microsoft’s Office 365, except through premium licenses.

“The American rescue plan includes a substantial funding infusion for federal IT modernization and cybersecurity, including the $650 million for CISA,” she said. “One of the things that is concerning to me is that many federal office 365 email accounts have only the most rudimentary security logging capabilities, which is necessary for cyber defenders to track malicious activity. It's also concerning that a significant portion of CISAs American Rescue Plan Act funding is slated to go to upgrading these licenses. Why isn't advanced security logging enabled by default on any of the federal cloud accounts that the government procures and how much of that $650 million supplemental funding is currently planned for licensed upgrades to support logging?”

The congresswoman also specifically asked if CISA intends to issue a directive forcing agencies to acquire the premium licenses. 

Eric Goldstein, executive assistant director of CISA’s cybersecurity division, responded that “as part of our funding request, we do intend to develop a process to improve the level of cloud security across the federal government, one option that could be considered is the improvement of licenses with existing vendors.”

On Monday, Reuters reported that Microsoft could collect more than $150 million, nearly a quarter of CISA’s allotment in the rescue package, under the agency’s plan for the funding.