Recent leaks have the CIO’s office contemplating red teams and more IP scanning.
BALTIMORE—Recent experience has taught Pentagon officials to take extra steps when it comes to the security of commercial clouds. Now they want to poke around and see for themselves.
“We've had some incidents recently that have shown that we probably need to shore [up] some visibility issues where maybe we do some outside-in looks at the clouds that they built for us,” said David McKeown, the Pentagon’s acting principal deputy chief information officer, during a panel at the the AFCEA TechNet Cyber conference on Wednesday.
Cloud service providers hired by the Defense Department go through a “rigorous set of checks,” set up continuous monitoring, and regularly report findings to the department.
But leaks can still happen. To prevent them, DOD wants to be able to regularly check the cloud infrastructure that companies operate on its behalf.
“I want to be able to understand what's going on on their perimeter as well. And maybe even take a deeper look from a red-team perspective inside of that,” McKeown told Defense One.
“Because if somebody hacks into the hypervisor”—the software layer of the cloud that connects servers to all the devices plugged into it—“they can have the keys to the kingdom over on our side. So we want to make sure that what they've got there is solid and stays solid over time.”
The concept isn’t new. A provision in the 2023 defense policy bill authorized the Pentagon to conduct threat assessments for cloud infrastructure that holds classified data. And DOD has been working with cloud service providers to do that for custom-built, not commercial, cloud systems and “there hasn't been huge pushback” so far, McKeown said.
McKeown said new checks and would be a form of “active defense,” such as scanning IP addresses to look for vulnerabilities on various systems.
“We could just do external scans of that and see what's exposed to the internet. And if it's vulnerable, and if we find something vulnerable, we would of course, tell them and have them get on that right away. And we would do the same thing on our side of the cloud,” he said as an example.
“I see every time there's an incident, there's a lot of disparaging comments about putting all of our eggs in a cloud service provider's basket,” McKeown said during the panel. “But I'll tell you what I've witnessed: when we are in charge of building things and securing them and defending them, we haven't historically done that great of a job either inside the department.”
The bottom line: “We have to both be successful, cybersecurity-wise, in order for us to continue to succeed together.”