Responding to Homeland Security Today editorial and multi-media director Dan Verton’s recent report, Cloud Conspiracies – Has The NSA Poisoned Cloud Computing? MacDonnell Ulsch, CEO and Chief Analyst of Boston-based ZeroPoint Risk Research, LLC, said "The allegations regarding the National Security Agency (NSA) are certainly not helping the cloud computing initiative."
Verton reported that “The ongoing NSA domestic snooping scandal continues to produce a treasure trove of news for aspiring journalists and columnists,” noting that “the most interesting to date comes from Rafael Laguna, CEO of the German web productivity company, Open-Xchange, who argued in a piece published in TechWeek Europethat the reality of massive surveillance by the world’s most powerful spy agency may have eroded the public’s confidence in cloud computing.”
"The challenge for the EU is to prove that data can be stored in Europe in confidence and that integrity and confidentiality of data is not compromised by secret agreements with security agencies or governments," wrote Laguna. "Europe can lead the world in digital privacy standards, and help the cloud to regain any trust that may have been lost."
“Laguna’s argument is probably right,” Verton said, pointing out that “Cloud computing — at least for those who understand what cloud computing is — has probably suffered a small black eye in the game of public perception, particularly when it comes to security and privacy. But what our European friends need to understand is that digital privacy died many years ago. And while the circumstances surrounding its demise are murky, there is evidence that suggests it may have first met its end in Europe.
“However,” Ulsch told Homeland Security Today in an interview, “EU marketers representing EU cloud providers have long maintained that EU information has never been safe with US cloud providers because of the USA Patriot Act. This is a tactic used by them to steer EU business to their own cloud providers.”
“Certainly,” Ulsch said, “the NSA scandal will continue to feed fears about the integrity of EU personal data integrity,” but that “this is a clear demonstration of the US government hobbling US industry through public policy that was not effectively scrutinized.”
Author of the bestselling book, THREAT! Managing Risk in a Hostile World, and an authority in privacy and counter-espionage who advised the office of counter-intelligence of a US President and served as a Trusted Advisor to the US Secrecy Commission chaired by Senators Jesse Helms and Daniel Moynihan, Ulsch said, “Perhaps the NSA and others in government considered the private sector consequences of a leak, especially regarding US competitiveness, but I doubt it."
“I believe that the government stamped the NSA program ‘Top Secret’ and believed that the various elements in that supposedly secure environment would afford all the protection needed," said Ulsch, who co-authored an information security policy paper with Sen. Sam Nunn, former chairman of the Senate Committee on Armed Forces.
But, “Obviously, this was not the case,” Ulsch commented. “So, now, US cloud services will face an increasingly uphill battle in winning critical business, and our economic competitors have been given by the US government the tools necessary to win over US companies.”
“Once again,” Ulsch said, “when the government said that help was on the way, the assistance actually landed in the laps of others. The reality is that EU data is not especially safer in cloud services from other countries, but that does not seem to matter in the fog of cyber and economic war.”
Ulsch, who uncovered and investigated one of the largest and most complex industrial espionage and fraud cases in US history that involved several Fortune 500 companies and was prosecuted by the US Department of Justice, told Homeland Security Today: “I would pose this question to foreign cloud providers: can you actually state, with a straight face, that if the foreign government in which the cloud company operates wants to gain access to certain data that the request will be denied? Would a cloud provider in China refuse such a request? That is highly doubtful.”
“One key concern about the cloud is this: the cloud community, foreign and domestic, is experiencing strong growth,” said Ulsch.
And “This results in two consequences,” he said. “First, it leaves little room for companies to negotiate individual contracts with cloud providers. So, a company concerned about security and information integrity may not be able to persuade the cloud provider to enhance security. We hear this a lot from clients. Second, what happens when cloud providers need to utilize other third-parties, either because they need to expand capacity or lower cost through the use of offshore service providers. And, what if those service providers to the principal cloud companies are based in countries that have high rates of organized crime, state-sponsored espionage and even terrorism and narcotics trafficking?”
Furthermore, Ulsch pointed out, “What if those companies conduct business in countries associated with low transparency and high levels of corruption?” And “What are the defensive mechanisms and policies in place to keep criminals, spies and terrorists out of those service providers to the cloud companies?”
“We face an onslaught of cyber attacks from a dizzying array of threat sources — a condition that will grow worse long before it gets better,” Ulsch said. “The fact is, we don’t really know who can gain access to information in databases anywhere. Some companies use encryption, some don’t.” And, “Some data is regulated, some isn’t.”
“Certain targeted intellectual property and trade secrets have great value,” but “if the value is great enough, if the need is strong, and the will of the attacker is resolute, the protective system in place needs to be able to meet the challenge,” Ulsch explained, adding, “I [just] don’t see that as the case today. Adding cloud computing capacity offshore is not going to enhance information security and integrity.”
“There are seven elements any company must address when it comes to protecting that information in the cloud, whether that cloud is in China, the Ukraine or the US,” Ulsch said. They are “Information security, information privacy, threat and risk analysis, range of regulatory compliance experience, enforcement mechanisms relative to demonstrations of proof of information integrity, access to cloud and other third-party vendor internal audit data and foreign corrupt practices management.”
“When we see breach data in the media and in regulatory filings, these are where the deficiencies exist,” Ulsch said.
“Cloud computing is, in many ways, like managing any third-party vendor,” Ulsch concluded. “You are responsible for making sure that your risk is effectively managed. In virtually every breach investigation we have conducted, a third-party is involved and is the source of the breach. So, when foreign cloud providers profess that their clouds are safer than our clouds, it is nothing more than a smoke screen deployed to distract and divert … And that is not to be confused with the security and integrity of information.”
[Editor’s note: Read MacDonnell Ulsch’s earlier op-ed for Homeland Security Today, The Cyber Enemy and How It Uses the Internet]
Follow me on Twitter at https://twitter.com/anthonykimery