In August, the Secretary of Homeland Security announced the Cyber Safety Review Board (CSRB) would open an investigation into the malicious targeting of cloud computing environments across the federal government.
Aimed at peeling back the curtain and shedding new light on what cloud providers are really doing when it comes to cybersecurity, this review is a welcome move for many in the security industry – and frankly a much-needed deep dive into the United States’ current cloud security posture, as we look to further secure our national cloud footprint.
Currently, cloud providers can keep a lot of information hidden, leaving organizations in the dark and making it hard for them to take appropriate action when it comes to cloud security strategy. This CSRB review has the potential to change that.
The CSRB, which initially came to bear following President Biden’s 2020 Executive Order in response to the SolarWinds attack, was designed to investigate cybersecurity incidents of widespread impact to prevent similarly far-reaching attacks from happening in the future.
The CSRB’s goal was to establish a set of actions that the federal government, private sector, and cloud service providers (CSPs) alike could all take to strengthen identity management and authentication practices in the cloud – a hotbed for ongoing geopolitical cyber activity.
The Reality of Accountability and Transparency in the Cloud
The cloud has never been more vulnerable than it is in 2023, and at the same time it’s never been more essential for federal operations. Risks and vulnerabilities posed by the cloud are at an all-time high. Yet, national resilience hinges on resilience in the cloud.
As federal agencies look to shore up their cyber resilience postures and make progress on federal compliance mandates, it’s essential that cloud providers are providing them with transparent, authentic communications on the state of cloud risk and overall security posture, so they can prioritize investment and action accordingly.
With the CSRB’s review commencing, there’s a lot of potential for the federal government to shed light on what cloud providers are really doing (and what they can be doing better) when it comes to cybersecurity. How are they managing federal data? Who has access to that federal data? And how are they ensuring that a single breach doesn’t take down the entire federal government? In turn, this review will enable the federal government to hold CSPs and federal agencies more accountable on data management, security and compliance practices in the cloud – especially as the federal government continues to urge organizations to move to a more centralized cloud environment.
What Accountability and Transparency Look Like
The CSRB released its most recent review (on the Lapsus$ hacking group) in August. The group behind attacks on Nvidia, Samsung, Okta and countless others had notoriously facilitated attacks against a slew of various government agencies and corporate networks throughout 2021 and 2022. Among its major findings, the report discovered that “many different organizations do not include third-party service providers and business process outsourcers (BPOs) in their risk management programs, enabling threat actors to exploit client relationships and conduct downstream attacks.”
Based on key takeaways like this, the federal government was able to make a list of recommendations for organizations and technology providers to safeguard themselves against similar attacks in the future. Similarly, the CSRB review will fuel other accountability efforts – holding cloud providers and agencies accountable to more stringent federal deadlines, ensuring cloud strategies and technologies are constantly maintained, or even potentially enabling federal entities like the Securities and Exchange Commission (SEC) to fine cloud providers for poor security practices.
Like any major cybersecurity review, this CSRB investigation has the potential to lead to real change as long as the outcomes are reinforced by action and accountability. We know that knowledge is power. And investigations like this often uncover information that leads to meaningful action – whether that’s accelerating Zero Trust adoption, reinforcing basic security hygiene in the cloud, mandating more rigorous testing and reporting on cloud infrastructure, etc. There will be some positive, collective learning that results from this.
Altogether, reviews like this are a giant step in the right direction, and they inspire a much greater sense of transparency and accountability in how we’re approaching strengthening our national cyber resilience. What we’re doing right, where we’re getting wrong and, collectively, how we can all do better from here. Cyberattacks won’t stop anytime soon. We have to modernize our cloud security strategies, and work better together, accordingly.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email editor @ hstoday.us.
