The federal government currently has few tools to deal with major outages in cloud services. NPR’s Steve Inskeep talks to Mark Rogers of Q-Net Security about how the White House wants to change that.
STEVE INSKIPP, host.
Your federal government says there is a particular vulnerability in the cloud for many American institutions.
(AS VOICE FAILS)
PRESENTATION. No, no, no, no, no, no, not that kind of cloud. We are talking about the Internet. In his new cybersecurity strategy, President Biden identified cloud security as a major threat. Officials are talking about a series of changes and reforms, including requiring cloud service providers like Amazon and Microsoft and Google to try to verify the identities of their users, making it harder for foreign hackers to do so. , what are they doing? We called Mark Rogers, an “ethical hacker” and Chief Security Officer at Q-Net Security. Rogers helped us explain where the cloud was.
MARK ROGERS: So the cloud is on-demand computing, located in data centers around the world, connected to the Internet, that often replaces the software products you traditionally run on your PC or home office.
INSKEEP. I think I know someone who has physically seen the cloud and it doesn’t seem like it’s actually on the cloud. My brother works for various technology companies and has visited these data farm server farms all over the country. That’s where it is, right?
ROGERS: Yes. Absolutely. And in cyber security, we have a saying: there is no cloud. It’s just someone else’s computer.
INSKEEP. Well, I think about the upside and downside of it. I guess the opposite is that all the information is copied there. The downside is that all the information is copied to another location that is not close to me.
ROGERS: Yes. That’s it. Between the cloud and open source software, we’ve probably seen the greatest democratization of innovation since the dawn of computing. So all these wonderful services that you can access online are basically driven by the cloud and how easy it is to make it happen. But on the other hand, it runs on someone else’s computer. And so you’re completely dependent on how well they make sure their overall system is secure, and the policies and processes they have in place.
INSKEEP. What are the ways that someone can attack all or part of the cloud, somewhere on a data farm?
ROGERS: So one of the biggest risks is when the software was running on your computer at home or in the office, that was one target, so it could be particularly attractive to threat actors, depending on what your business is. But when you put it in the cloud and suddenly you have a million of them in the same place, you’ve got a basket of golden eggs that attracts a lot of threat actors. So that’s the first challenge, is that the cloud becomes a very attractive target. The second challenge is that you can’t actually see how they build their environment. And so, as we’ve seen a lot of the big breaches that happen, they’re often, you know, missed steps in terms of good security practices. And there are vulnerabilities, just like you’d find in your home software, that exist in the cloud. But you can’t see it because it has to be maintained by the cloud service provider.
INSKEEP. You have addressed the violations that are occurring. Give me some cases here. What is an example of exploiting, opening or destroying the cloud or part of it?
ROGERS: Well, I mean, unfortunately, it’s all too common. So if you search for any major breach that’s happened in, I don’t know, just in the last six months, and you see big company names like Microsoft, Google, LastPass, all of those cloud are security breaches.
INSKEEP. Is United States government information vulnerable in this way?
ROGERS: Yes. Unfortunately, it is. If you read the recently released National Cyber Security Strategy, it talks about the cloud, it talks about critical infrastructure, and it talks about much more proactive ways that they’re going to protect these things. So the government is aware, but at the same time, the government also sees the cloud as a way to get rid of a lot of the legacy problems that they have. There are many old settlements in the federal territory. You know, there are agencies that are using decades-old, antiquated systems that need to be replaced. And the cloud is an attractive way for them to scale and update it all at minimal cost. But the problem is, if you do that without considering what I said earlier about the other risks that are created, you potentially create a whole new set of problems.
INSKEEP. I want to remind people that you are described as an ethical hacker. Companies hire you to try to hack systems so they can learn how to do it and protect against it. Have you hacked cloud computing?
ROGERS: I have: It’s hard to describe the systems I’ve been in without revealing things I have to keep with confidence. But I can talk about some of the things I’ve done publicly.
INSKEEP. Of course.
ROGERS: Perhaps most famously, I hacked a Tesla Model S back in 2015. And you might ask, what does a car have to do with the cloud? Well, the Tesla Model S is a cloud-connected car. So it’s talking over the Internet, over telecom services, to the private cloud that Tesla runs inside their facilities, and it’s sending a lot of data over there. By hacking the machine, I was able to break into that infrastructure and gain access to factories and other information. So that’s one of the challenges that the cloud has, often the things that connect to it become weak points. So all the IoT devices out there that are connected to the cloud can become vulnerable areas that can allow someone to get into that cloud and gain access to it.
And we never really know how much data these things collect. Now we’ve seen things like vacuum cleaners like the Roomba that have cameras and that record footage of your home. We wear wearables that record medical information and store it in the cloud. All too often, the intrusion of something as innocuous as footprints can result in some very important information about you being extracted and delivered into the hands of hostile threat actors. It’s really good that the government is talking about this problem, because they’re paying attention to something that has been kind of not given enough attention, I think. Much attention has been paid to how the cloud can save us, and not enough attention has been paid to the risks surrounding the cloud.
INSKEEP. Mark Rogers, it was nice talking to you. Thank you very much.
ROGERS: Thank you so much for having me.
NPR transcripts are generated on a rush basis by an NPR contractor. This text may be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the transcript.