The Defense Department shocked the information technology industry after announcing last week it would turn to Microsoft for its $10 billion cloud computing infrastructure, rejecting long-standing criticisms over whether it’s wise to depend on a single company for such an important task.
The award signals a sea change in how the military will protect its most closely-held national security secrets. Unless a bid protest puts a stop to it, U.S. military agencies will soon begin transferring hundreds of disparate computer systems onto a centralized system managed by Microsoft.
The Pentagon currently relies on a hodgepodge of mainframes and smaller clouds — many of which are locked down because they contain sensitive classified information. But defense officials have long said this disjointed approach has made it impossible for them to push out software updates in a timely manner, hampering their response to emerging cyberthreats.
The award of the $10 billion JEDI (Joint Enterprise Defense Infrastructure) contract bypassed Google, IBM, Oracle and Amazon, which President Trump has repeatedly slammed because its head, Jeffrey P. Bezos, also owns The Washington Post. Trump, who has slammed The Post's news coverage of his administration, had threated to intervene in the competitive bidding battle.
Pentagon officials noted in the department’s official cloud strategy, released in early February, that the existing patchwork approach has created unnecessary security risks.
“A combination of overly strict policies and procurement procedures make it difficult for DoD to ensure that both hardware and software are updated appropriately,” the Defense Department wrote.
Moving to a centralized cloud operated by Microsoft promises to allow the military to move more quickly. So-called cloud computing infrastructures — in which organizations rent computing services from specialized providers rather than operate their own — are already common in the business community.
Placing its computing systems in the hands of a single tech company is expected to allow the “rapid roll out of software and hardware updates” that are difficult in a government setting, according to the Pentagon.
But putting all of the military's eggs in one basket is also dangerous, say some, producing a juicy target for state-sponsored hackers like the Russians and Chinese. Recent high-profile data breaches involving Amazon’s products, for example, have heightened concerns around the security of cloud products.
Garrett Bekker, an IT security analyst with 451 Research, said moving to the cloud could introduce new security problems even as it solves the Pentagon’s existing ones.
Bekker said that adopting a “hyperscale” cloud provider like Microsoft allows the Defense Department to use the best cyberdefense tools Silicon Valley has to offer.
But by centralizing too much sensitive data in one place could mean there is more to lose with each given security breach. The role an Amazon employee played in a recent data breach at Capital One — thought to be one of the worst breaches ever to hit a financial services firm — is a stark example of how working with a cloud provider can create new security risks.
“Both Amazon Web Services and [Microsoft] Azure have introduced a ton of security features that the average enterprise doesn’t have access to,” Bekker said. “But the flipside of that — and we learned this from Capital One — is that a single breach can be almost catastrophic.”
John DiLullo, chief executive of Lastline Inc. said cloud products typically mean “less risk of traditional threats, and more risk of a catastrophic accident.”
PINGED, PATCHED, PWNED
PINGED: The Federal Communications Commission will hold a final vote next month on a proposal to ban U.S. telecommunications companies receiving agency funding from using Huawei and ZTE networking equipment, TechCrunch's Zack Whittaker reports. The agency has echoed concerns from the Trump administration and some members of Congress that the equipment poses a “national security threat” and could be used as a backdoor for Chinese spying.
“We need to make sure our networks won’t harm our national security, threaten our economic security, or undermine our values,” said FCC chairman Ajit Pai. “The Chinese government has shown repeatedly that it is willing to go to extraordinary lengths to do just that.”
The proposal would ban telecoms using the equipment from receiving FCC funds earmarked for subsidizing services for low-income consumers. The FCC would introduce a reimbursement program for suppliers who need to switch equipment. A small number of rural wireless providers have used the funds to buy Huawei equipment, but the FCC wouldn't say how many.
PATCHED: Democratic campaign officials and lawmakers are decrying the Trump administration for failing to coordinate with tech companies over growing foreign threats to the 2020 elections, my colleagues Isaac Stanley-Becker, Ellen Nakashima and Tony Romm report. Campaigns are concerned the White House lacks a public strategy to counter foreign influence campaigns.
Some Democrats alleged that President Trump's efforts to discredit Russian interference have undermined the ability of security agencies to tackle the problem. Many also blamed Facebook for publicly disclosing the Russian accounts before notifying campaigns or lawmakers, leaving them without recourse for action.
Sen. Mark R. Warner (D-Va.), vice chairman of the Senate Intelligence Committee, called Facebook's failure to disclose to Democratic campaigns they had been targeted before making a public announcement “extraordinarily disturbing.”
A senior administration official told my colleagues there is a strategy, but that it is classified, adding, “The U.S. government has made significant progress in recognizing malign foreign influence operations and defending our homeland and our allies against this threat.” The U.S. Cyber Command has urged private companies to share more information with the government.
“The threats are ongoing and persistent,” a senior intelligence official told my colleagues, speaking on the condition of anonymity under ground rules set by the official’s agency. “They’re more diverse. We have more actors on the field. In addition to Russia, there’s China, Iran, hacktivists, ransomware.”
Facebook pointed my colleagues to an earlier statement saying it had “shared information with industry partners, policy makers and law enforcement.”
PWNED: Russia-backed hackers have carried out attacks against more than a dozen organizations associated with the 2020 Tokyo Summer Olympics, researchers at Microsoft revealed in a blog post yesterday. While most of the attacks were unsuccessful, they could indicate hackers are gearing up for a major attack during the summer games or sharpening their skills for an even bigger target.
The group, Fancy Bear, targeted at least 15 national and international sporting and anti-doping agencies using a wide variety of tactics including exploiting Internet-connected devices and fake emails to try to get users to share their passwords. The attacks began just before the World Anti-Doping Agency (WADA) warned Russia about a potential ban for the next games.
A WADA spokesman told Nicole Perlroth and Tariq Panja at the New York Times it was aware of Microsoft’s disclosures Monday but said there was no evidence the agency’s systems were breached in the attack.
Fancy Bear previously released medical records and emails from sporting organizations and anti-doping officials in 2016 and 2018 in retaliation for bans on Russian athletes. The group also breached the Democratic National Committee in 2016.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
- Rep. Bennie G. Thompson (D-Miss.), chairman of the House Committee on Homeland Security, will speak at a DEF CON Voting Village Election Hacking Presentation from 10 a.m.- 2 p.m. at the U.S. Capitol.