Federal Cybersecurity Advisor Floats Executive Order on Cloud Service Providers

Cloud service providers should not be allowed to market baseline security features as add-ons requiring special licenses, according to a prominent member of a new federal advisory committee at the Cybersecurity and Infrastructure Security Agency.

“You should not have to pay extra for security, I'm sorry, that is immoral for companies [to charge for],” said Alex Stamos, partner at the Krebs Stamos Group, who called for executive action on the matter. “I'd love to see an executive order that any cloud product that is bought by a federal agency has to support [multi factor authentication], [single sign on] and basic audit in the most base paid package.”

Stamos is one of 23 members on CISA’s new federal advisory committee which met for the first time Friday. The firm he started with former CISA Director Christopher Krebs consulted with Solar Winds after hackers infiltrated the company and subsequently compromised several federal agencies last year. Stamos also directs the Stanford Internet Observatory. Like Krebs, he built up credibility in the community while dealing with hyper-politicized election security issues.

The idea that it is simply wrong for cloud service providers to upsell security features is not new among policy makers. The aftermath of the Solar Winds event highlighted challenges tracing the attackers’ steps associated with logging capabilities being tied to higher-cost licenses at Microsoft. 

Stamos raised the issue during a discussion of how to turn the corner on cybersecurity hygiene, an area for which CISA Director Jen Easterly sought recommendations and asked George Stathakopoulos, Apple vice president of corporate information security, to lead the work.

“It is not just Microsoft, it’s a huge number of cloud companies,” Stamos said. “Apple to their credit does not do this. But a huge amount of cloud companies charge you more money so that you have to be on an enterprise license to have MFA or SSO. They need to be called out and shamed.  Honda won't sell you a car without airbags unless you pay extra, right? The airbags need to be in the baseline.” 

Other proposals raised for motivating companies to implement appropriate security measures ranged from providing tax incentives and protection from liability when they do, to enforcing fines when they fail to.

Stamos highlighted the difference in capabilities within the private sector to stress his point about the responsibility of cloud service providers.  

“Give it to everybody who's paying five bucks a month or 10 bucks a month for your product, do not charge 20 or 30 or $50 a month to get the basic security functions,” he said. “It's just a completely unethical thing. For big businesses to hold up small businesses, ‘can't be secure unless you pay me more money,’ just really pisses me off, to be frank.”

Easterly expressed optimism even while noting consternation about the exclusion of bipartisan incident reporting legislation from the next National Defense Authorization Act.   

“Alex, with the moral outrage that I think we can all align ourselves to. I agree with that, right, security should be table stakes at the end of the day,” she said, regarding Stamos’ comments. “I really feel like we can make some significant progress here, I think we're at a moment in time, so I look forward to that.”

Absent regulation, Easterly has embraced the approach of simply asking cloud and other backbone internet service providers to partner with the agency as plank bearers in a Joint Cyber Defense Collaborative that would ideally increase visibility across U.S. critical infrastructure. 

CISA’s cybersecurity advisory committee was established under the National Defense Authorization Act of 2021. During the public comment portion of Friday’s meeting, Patrick Doyle. executive director of the National Technology Security Coalition, credited the group with spearheading the committee's creation.

Doyle described the NTSC as the only national organization representing chief information security officers and congratulated JPMorgan Chase and Microsoft “for their membership on the advisory committee, as they both have a board presence with the NTSC.” Microsoft is also an NTSC underwriter.

Over the next two years the committee will be chaired by Southern Company President and CEO Tom Fanning, and vice chaired by Mastercard Executive Vice President and Chief Security Officer Ronald Green.