New cloud security task force presses for stakeholder accountability

When MITRE convened cyber professionals from the nonprofit and public sectors in early December to exchange notes about protecting cloud systems, the last thing on peoples’ minds was whether they were wasting time networking at another D.C.-area cybersecurity event.

As they entered MITRE’s Building 4 at the government-backed R&D giant’s McLean, Virginia campus, the urgency of the matter was beyond obvious: craft a blueprint for securing vital cloud computing systems the Defense Department and other national security entities rely on, or allow another Solar Winds incident that could risk crippling public sector IT systems managed by cloud platforms.

Several cloud security lapses have further sounded the alarm over the past year, including a major headline-making cyberattack in which China-linked operatives exploited a series of Microsoft cloud system defects to break into the inboxes of high-level U.S. officials, prompting vast congressional oversight and harsh questioning over how the federal government heavily relies on a small number of tech giants that offer cloud management services.

MITRE, the Advanced Technology Academic Research Center, the Information Technology Acquisition Advisory Council and the Cloud Security Alliance make up the powerhouse quartet that hosted the professionals and formed the recently launched Cloud Safe Task Force that’s seeking to guide the private sector and governmental entities on how to stop hackers from compromising cloud environments. 

The organizations have a long combined history of advising the U.S. on best practices for intelligence, security and defense innovation. But getting to secure cloud systems is another arduous step of its own. Despite a Biden administration-wide approach to enact a stricter regulatory regime for protecting U.S. networks from cyber intrusions, CSTF isn’t ready just yet to align itself with that same approach taken by the administration.

The White House is great at saying what should be done in cyberspace, but not how to get it done, said John Weiler, the task force’s co-chair and executive director of IT-AAC.

“If you don’t address the current processes and laws that are already in place, then you won’t get anything done,” he said. “If you don’t address them, then [White House directives] are meaningless mandates.”

The question at the heart of the task force’s considerations: If cloud security is so vitally important, how much regulation can possibly be enacted to secure such  systems without upsetting stakeholders? 

Despite dire warnings from the intelligence community about nation-state cyber threats, some lawmakers have pushed back on those harsher cyber measures, and comments from industry groups have echoed similar concerns.

“This paper we wrote, I will tell you that [the] government probably wasn't 100% pleased with it, nor was industry,” said David Powner, head of MITRE’s Center for Data-Driven Policy, referencing a roadmap he co-authored that outlined the task force’s recommendation steps for securing the cloud. 

The blueprint released last week is concise yet extensive, recommending the White House, Congress, federal agencies and private sector adopt guidance and measures that could assist with shoring up cloud systems’ safety.

“As more and more data migrates to the cloud, the attacks have escalated, raising concerns about deficiencies in cyber resilience and operational hygiene, especially in certification processes and dealing with known vulnerabilities,” the task force’s readout says.

Cloud computing security has become increasingly prevalent over the past decade amid widespread adoption of cloud services by businesses and individuals alike. This only accelerated with pandemic-fueled digital transformations at the turn of the decade, as cloud platforms became especially vital in schooling and work-from-home environments.

That fast adoption, combined with the diverse mix of cloud service models that are run mainly by the private sector, make regulating the space difficult, even before cybersecurity measures are considered.

“Do we have the exact solution on how far you go with regulatory actions? No, but it’s something we're gonna flush out in greater detail,” Powner said, adding that many of these matters would be hashed out in regularly scheduled sessions throughout 2024.

Much of the onus in the task force’s roadmap falls to Congress, which is being urged to pass legislation that would create a greater accountability culture in the industry for disclosing cloud breaches and enhance the oversight powers of third-party organizations that conduct security assessments. 

That may also involve empowering cyber agencies, like the Cybersecurity and Infrastructure Security Agency, with more resources to analyze and track threats in the cloud.

“It’s about making cloud information more available so that others can find it, and [help them] recognize they may have that same vulnerability,” said Mari Spina, a senior principal cloud security engineer in MITRE’s Cyber Solutions Innovations Center, who also co-authored the roadmap.

Over 20% of cloud-based security incidents are linked to misconfigurations in cloud accounts, according to PingSafe, a cloud security provider owned by SentinelOne. The company has also marked a 13% increase since last fall in cloud ransomware attacks over the past five years.

The federal government’s cloud computing strategy was last updated in 2019, focusing on cloud implementation in the federal sphere. The cloud task force has called for an update to this strategy that would put security frameworks at the center of the guidance.

“National security in major critical government operations are at stake with some of these cloud offerings,” Powner said. “So we want to make darn sure when there are updates to offerings, that we don’t have a process in the government that slows things down for the government getting similar updates.”

The next CSTF meeting is scheduled for March 19 and will focus on initiatives for measuring and monitoring cloud security.