by Stephen Bryen
The Department of Defense is poised to give Amazon’s cloud services partner a ten year $1 billion contract on virtually a sole-source basis. This would mark a huge outsourcing step by the Defense Department, effectively moving unclassified and classified data to a private contractor.
The contract is sole source because only one contractor meets the security level that DOD claims is required to participate.
But letting the contract sometime this coming May raises many issues, among them are:
1. the risk of relying on a single source for DOD data, creating a potentially massive vulnerability without any backup
2. a lack of certainty if the contractor can in fact apply strong security standards, since all the hardware and most of the software will be managed by the contractor
3. whether the DOD standard itself is credible and
4. whether a 10 year sole source commitment will block innovation in new and more secure technology at a time when the entire US critical infrastructure increasingly is under assault.
DOD is effectively in the process of committing most of its Cloud Computing to a single company without any assurance of any kind that the company will do anything more than comply with DOD’s security requirements, which have not proven effective inside DOD. A good example is what is called the STIG. STIG stands for Security Technical Implementation Guidelines. There are STIGS for local computer networks, STIGS for servers and STIGS for specialized computer systems and STIGS for operating systems and software. There are some 400 STIGS in use by DOD. The STIG in the real world turns out to be a semi-automated check the box checklist that in most cases is very thorough. The idea is that each of the operator needs to comply with each of the STIG checkbox listed requirements. There are STIG tools to help users go through the review process, but the review is generally only an annual event and only covers whatever is included in the STIG itself.
There is no STIG for a Cloud Server Farm. There are STIGS for individual servers and for hardware and software. But as many Cloud systems use customized software and server farm control systems, some quite complex, right now they are not covered by any STIG.
Moreover a STIG is always catch up ball, because yesterday’s vulnerabilities might not reflect new kinds of hacking attacks. In any case one of DOD’s problems has been getting its agencies to even do the STIG work; many of them request waivers because implementing a STIG is disruptive and might require that critical functions are suspended while remedial work is done.
One of the certification requirements is the STIG process for Cloud Servers. It is complete guesswork how this will be implemented and whether the requirements meet the security need where massive data storage and management is taking place.
This is one of the strongest reasons why a single cloud system carries severe risks, but DOD does not appear to have any plan to mitigate the risk either by having mirror server farms managed elsewhere by different companies or by having multiple vendors to reduce the chance of a single point of failure. In sum, the DOD proposal lacks backup and data distribution, both of which are well accepted standards for reliability, redundancy and recoverability and resilience.
There is also a world of difference between the command form of security at DOD facilities, even those with civilian employees (which most have). It is certainly a good thing for requiring cleared people at least at Level 6 facilities, as the DOD’s guideline proposes. But finding cleared and capable cyber security personnel is a significant challenge and may prove impossible in today’s marketplace. Silicon Valley has largely solved the talent problem through outsourcing as much as possible and bringing in foreign talent using special visas. That is not possible in a strict security environment and the contractor is going to have serious issues staffing the DOD Cloud. This probably means a lot of the hardware and software support will be outsourced, and this is a hidden danger that looms large in future. The outsourcing vendors will not have security clearances and are likely to hire many foreign persons to do the work. Draw your own conclusions.
The DOD standard as it is today really needs rethinking to make it viable in a changed technology environment. For example the STIG idea is far too static to really be applicable to anything as mammouth as a Cloud system. Furthermore there is no requirement of any kind as to what is acceptable technology in a Cloud system and what might be dangerous or vulnerable. That is largely because DOD has been so focused on buying commercial off the shelf products (called COTS), that DOD has accepted seriously vulnerable technology for mission critical systems throughout the military and command systems. This approach is just replicated when it comes to outsourcing and the absence of any system to vet the integrity of a system is glaring and deeply worrisome.
Finally there is a big problem that picking one cloud vendor blocks future innovation and any new approach to achieving secure networks. All the eggs in one basket gives the basket holder a dominant position in the narrow DOD market. It is sort of like creating another gargantuan Lockheed that makes the only fighter fit for service by the Air Force, Navy and Marines. Replicating that sort of risk means rising costs, future lack of innovation and danger if the system is bested by a strategic competitor.
Cloud services, to be sure offer many important benefits provided they perform as advertised and provided they are not compromised. But we know our adversaries know this too and they are refocusing their attention on penetrating cloud systems. DOD may be jumping the gun and may not be prepared for the negative side of its new cloud technology “imperative.”
Especially distressing is the fact that DOD has not carried out a comparative analysis of any kind regarding the security systems featured by cloud vendors. This omission is glaring and inexcusable. In reviewing various vendors, few provide much public information on their security approach, but Google (one of the smallest of the Cloud vendors presently) has outlined an in depth approach that features customized hardware and software and some unique security features. Also missing is any independent assessment even of the “preferred” vendor fingered by DOD. All of this leads one to doubt the integrity of this proposed procurement, a lack of understanding of the risks, and a failure to do even the minimal work necessary to make sure the presumed preferred choice is the right one. Any independent investigator would smell a rat.