How 'hypothetical' is the cloud security threat?

Is the cloud threat overplayed or did former federal CIO Vivek Kundra’s comment on a “hypothetical” threat hold any truth? The majority of FCW’s readers seemed to think Kundra had underestimated the challenges and voiced their opinions of the ex-fed’s remarks, cloud security and its use in general.

One reader wrote Kundra was “seriously off track” when he suggested in a New York Times op-ed that the United States shouldn’t hesitate to prioritize cloud spending because of “hypothetical security threats that serve the entrenched interests of the IT cartel.”

“I'm very disappointed that he made that characterization, given the in-depth classified background information he has been provided in his position,” Fed Security Guy commented. “Federal agencies continue to struggle tremendously to define/describe exactly what security strengths there may be in cloud computing, hence the preference for private clouds.”

Another reader echoed these sentiments, saying Kundra had oversimplified the problems of a cloud migration. That reader also suggested that the move to cloud would happen not because of Kundra’s 25-point plan, but because cloud computing “represents a huge revenue generator at the tune of 100s of billions of dollars a year, and companies follow the money.”

“I also found Kundra’s article and subsequent speech in poor taste especially for a person in such a high position,” that same reader commented. “I was raised that some things are better said in private circles. In summary, I had a lot of respect for Kundra till I saw his article in the NYT.”

Another reader critic said it would take a cyberattack to determine the accuracy of Kundra’s comments.

“I guess this question will be answered when the first major 'hack' of government data in the cloud hits the press,” Mike wrote. “Perhaps it will happen -- perhaps not. Either way, Mr. Kundra is safely positioned in the ‘soft’ confines of academia. Priceless.”

Charles 'Kip' Kiplinger posited that the threat scenario depends on whether users are in the commercial sector or the public sector as they use the cloud differently.

“I have big reservations in the security of information belonging to our country being outsourced,” he wrote. “I haven't heard of anyone losing their life over someone getting access to the designs of next year's car line, but knowing how to defeat the latest UAV definitely will have that effect. Conceptually, the idea is sound, but DOD needs to put its efforts into development of their own cloud. Other areas of the government complex may be well-suited for the private cloud though.”

Only one reader who commented took an opposing view, saying Kundra hadn’t downplayed the treat because the risk level is “inversely proportional to implemented level of security.”

“We have known for a long time how to secure our systems,” Howard wrote. “Problem is getting the business process owners/functional managers to define and implement a security level that’s above their accepted level of risk. It all comes back to cost of security vs. business case risk analysis, and that is not the CIO decision; it belongs to the CEO to make the call and to date, it has been in favor of the business manager.”