Companies such as IBM, Microsoft, Amazon Web Services, Oracle, Google and others have made billions of dollars by persuading their corporate customers to migrate their computing functions (meaning data as well as software on demand) to “the cloud.” The cloud allows the big IT providers to manage a company’s IT systems, either offsite or onsite or in some combination. The marketing pitch is that the cloud is the safest way to go.
Now comes the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security have issued this joint report. It’s noteworthy that these two agencies would take such a step. The report raises many doubts about whether cloud operators are as squeaky clean and safe as they pretend. Once an attacker penetrates one part of a cloud system, he may be able to move throughout an entire cloud network of dozens of companies and government agencies.
It happened to IBM when APT10, as I described in The New Art of War available here, penetrated its systems for four years. Advanced Persistent Threat group No. 10 was affiliated with the Chinese government. It got into IBM’s cloud system and then “hopped” into the systems of dozens of other companies who had trusted IBM to protect their data. When the federal government revealed the penetration in 2018, IBM said it could find no trace of any such actions. So much for all the hype surrounding the cloud. This report today merely reinforces the suspicions I harbored in The New Art of War. For my latest, A Grand Strategy, which lays out a program to counter China’s technological ambitions, go to this Amazon listing.