Why a Critical Infrastructure Designation for Cloud Won’t Enhance Security—And What Would

The Biden administration’s push for stronger national cybersecurity includes an emphasis on securing critical infrastructure against cyber threats, as seen both in the new National Cybersecurity Strategy published earlier this year and in the plan to revise the outdated Presidential Policy Directive 21 (PPD-21). Within the new National Cybersecurity Strategy, there is also a recognition of the expanding use of the cloud, particularly by critical infrastructure entities, and the potential for the cloud to enable better cybersecurity practices at scale. With more use of the cloud, however, also comes greater concerns about the security of cloud providers themselves. One solution that has been mentioned is to add the cloud computing industry to the list of critical infrastructure sectors. The simplicity of this approach clouds the lack of value it would likely bring.

A Challenge of Scope and Definitions for an Evolving Technology

The first challenge to such an approach is a definitional one. The cloud is not a static technology but rather constantly evolving and innovating. As a result, it becomes particularly unclear how to define the kinds of companies that should be included in a sector that would then be given a critical infrastructure designation.

At its core, the cloud is simply the idea that, rather than being responsible for one’s own servers and data centers, there is scale and efficiency in renting storage from large providers like AWS, Microsoft Azure, and Google Cloud. But the cloud is not just about providing the data center and storage hardware. It is also inclusive of the software-defined environments and services built on top. In the IT industry, it is common to think about the cloud as encompassing some combination of platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS), and software-as-a-service (SaaS), along with other tools—frequently provided by entities separate from the large cloud players—that support the interaction between the technical layers and assist with activities on the cloud. A variety of companies can, thus, be considered part of cloud computing, and this variety belies attempts to treat them in consistent and similar ways.

That’s not all: the technologies underlying and adjacent to cloud computing continue to evolve. A hot new trend is the concept of moving from the cloud “to the edge,” meaning that computing and data analytic processes occur closer to the source of the data. As companies push to the “edge,” the overlaps and the interactions between the cloud and the devices, telecommunication services, and smaller storage technologies scattered closer to users become more complicated. This would make it even more challenging to ensure that the scope of this sector is clear for a critical infrastructure designation.

A Question of the Value-Add of a Critical Infrastructure Designation

If it is challenging to clearly scope the types of entities to include in an ever-evolving cloud sector, it is also questionable whether a critical infrastructure designation provides any value in enhancing protections. In fact, as noted by Anne Neuberger, national security advisor for cyber and emerging technology, at a recent CSIS event, for some organizations, particularly small and medium ones, moving to the cloud actually allows them to improve their cybersecurity since cloud providers can provide better cybersecurity practices than their in-house processes. The National Cybersecurity Strategy also notes the promise of modernizing the federal government through a migration to the cloud for federal legacy systems.

Cloud security concerns frequently fall into one of two types: that of access and that of data loss or misuse. For the former, it is certainly true that significant negative impacts can occur when cloud providers’ services go down. However, business competition is likely a more effective solution than any regulatory requirement; cloud providers are incentivized to enable recovery and backups as quickly as possible as part of doing business. Moreover, once a critical infrastructure designation is in place, there is the expectation of more support from the federal government, which could, in turn, limit the innovations that would otherwise occur from a competitive global business environment.

When it comes to data loss or misuse, a major factor is that of misconfiguration. Several major cloud security incidents in recent years have, for example, been the result of misconfigured Amazon S3 buckets. Users of cloud services are often the ones who are responsible for such configurations, and so cloud security becomes fundamentally shared between cloud services providers and the users. This elevates the importance of clarifying the division of responsibilities and the contract terms between cloud services providers and users. In other words, the solution should not focus on the internal security practices of a cloud computing sector itself, but rather focus on the interactions between cloud services providers and their users, such as through more effective contractual obligations that sets out clearer roles and responsibilities.

None of this undermines the critical role that the cloud plays, particularly as the vast majority of existing critical infrastructure providers already rely on the cloud in some form. Cloud security is essential. However, cloud security recommendations should be targeted to the specific tools used by organizations to manage their cloud use, the kinds of workflows they enable, the data they have, and most importantly, the kind of risks against which they seek to protect. For example, some cloud users may want to focus more on ensuring adequate backups, while others may choose to limit access to data. Because each industry and each company may use the cloud slightly differently, have different contracts with various cloud providers, and manage configurations in different ways, an attempt to encourage a one-size-fits-all method to enhancing cloud security through designating it as its own critical infrastructure sector is not going to do all that much.

Encouraging Better Cloud Security Practices through Other Means

Rather than adding the cloud as a critical infrastructure on its own, the better approach is to recognize its value as a tool for existing critical infrastructure and ensure that there are appropriately shared levels of responsibility between providers and users, as well as more effective articulations of what best practices look like in different industries. After all, the concern tends to not be with the security practices of the cloud services providers themselves, but rather with how securely entities in other sectors use those services.

This could mean that existing critical infrastructure sectors receive better support and more training on how to use and configure cloud services, what to include in contracts, and how to work with cloud providers and the government to ensure rapid response when incidents occur. In turn, each industry may have a different set of requirements for cloud security. There can be lessons learned within sectors about how, for example, healthcare companies can use the cloud in ways that are unique from electricity companies. In this case, the trend of industry clouds can provide greater value in deepening shared responsibility models that are adjusted for specific industry needs.

At the same time, best practices need to be shared and socialized. At the same CSIS event, Anne Neuberger noted the importance of ensuring a baseline level of security in cloud services and how that baseline should be evaluated is something that can be encouraged by the federal government. Recent reporting about the importance of maintaining higher levels of logging data in the cloud as part of contracts for some entities is an example of what some cloud users should know to ask for. The revisions to streamline the FedRAMP program in the FY 2023 National Defense Authorization Act is actually a good step. Though the FedRAMP program is exclusively for the adoption of cloud services in the government, it does set a precedent more broadly of what entities should be looking at when they assess and test for risks of cloud use and promotes the validity of reusing security assessments in certain situations so that cloud users can learn from each other.

There have been consistent calls to modernize the definitions and responsibilities of critical infrastructure in the interest of enhancing cybersecurity. This is a lofty and important goal—but one that is not well-served by simply adding another critical infrastructure sector in the form of a nebulous cloud sector. When it comes to cloud security, the implementation and operational pieces are more critical than designations and high-level policies. As such, the focus for the government should be on providing existing critical infrastructure entities with guidance on how they can more securely use the cloud and collaborate with cloud providers to share responsibility.

Yinuo Geng is an adjunct fellow (non-resident) with the Strategic Technologies Program at the Center for Strategic and International Studies.