Cloud poses special cyber risks for critical infrastructure, report warns

Cloud computing technologies can present major cybersecurity risks to federal agencies and other organizations that fail to adapt their existing processes and workforce to the cloud paradigm, according to findings published Monday..

The Cyber Statecraft Initiative at the Atlantic Council’s report explores emerging risks associated with critical infrastructure organizations leveraging new cloud services and offerings. The report highlights two distinct risks associated with cloud technologies: compounded risk and delegated control and visibility. 

Compounded risk arises when the use of multiple cloud services create an increasingly complex infrastructure that heightens the threat of security breaches. Delegated control and visibility can create risks when users of cloud services have limited insights into the underlying infrastructure of their products and lack direct control over critical security matters.

"Cloud computing provides a host of efficiency and scalability benefits for adopting organizations," Maia Hamin, associate director at the Cyber Statecraft Initiative, told Nextgov/FCW. "Often risks arise when a cloud-adopting organization misunderstands what they no longer have to worry about or how their old models apply to the cloud."

The adoption of cloud computing technologies is clearly on the rise across critical infrastructure sectors: the report notes that the healthcare sector — which spent just over $28 billion on cloud computing technologies in 2020 — is projected to spend nearly $65 billion on cloud computing offerings annually by 2025. Throughout the transportation and logistics sector, major organizations have begun cloud transitions, like the UPS transition in 2019 with Google Cloud. The report notes the use of cloud technologies was critical during recent high-volume periods like the COVID-19 pandemic, when UPS delivered over a billion vaccine doses nationwide. 

The report says that the defense sector appears to be the slowest in adopting cloud technologies among all of the surveyed critical infrastructure sectors, in part due to stringent, slow-to-change security requirements. The Navy is the chief adopter of cloud computing throughout the U.S. military, according to the Cyber Statecraft Initiative’s findings, as it began transitioning critical management tools for hundreds of ships and aircraft to the cloud in 2020.

Major defense contractors have also increasingly augmented on-premises infrastructure with cloud deployments, including Boeing, which decided to use cloud offerings from multiple CSPs starting last year. 

But many agencies and organizations are still struggling to adequately secure their systems and federal networks — even in the midst of major modernization journeys.  

In some cases, cloud service providers may be reluctant to share the internal algorithms and infrastructure frameworks behind their service offerings — particularly with the federal government. In other instances, CSPs may lack a critical level of internal visibility into some of their own dynamics, the report notes. 

Hamin said that challenges with compounded risk and delegated control and visibility are increasing as organizations effectively outsource major components of their risk management to CSPs, "which means customers must trust their promises with respect to security and resilience."

"Because there are so few cloud providers and services are interlinked through complex webs of dependencies, one outage or compromise could impact a host of organizations at a time, making the risks of compounded or interlinked failure more acute," she added.

The report calls on sector risk management agencies like the Department of Homeland Security, the Environmental Protection Agency, the Department of Energy and more to establish cloud management offices. These offices can help evaluate sector dependence on cloud technologies, define best practices and identify unique risk points associated with the critical infrastructure sector and its specific cloud needs and requirements. 

It also encourages organizations to systematically evaluate their use of cloud computing and urges the Cybersecurity and Infrastructure Agency to play a facilitating role in the adoption of frameworks and best practices for organizations working with and leveraging CSPs. 

"Cloud computing underlies so much of our digital world today, and the federal government needs to be working closely with the biggest CSPs to understand and help manage the risks that arise," Hamin said.