Cloud cuts both ways when it comes to cybersecurity

The increasing availability of options in cloud computing are making the strategy more appealing to many government agencies, but the unique security demands of the Defense Department and related organizations require extra attention to cyber safety.

However, the growing cloud movement might help drive efficiency and improve defense IT operations, a panel of federal officials said July 15 at the AFCEA Cybersecurity Symposium in Washington.

“There are a lot of promises out there of cloud computing ‘reducing costs ten-fold’ or ‘savings of 50 percent’ – but we have to make it operationally beneficial,” said Dave Mihelcic, Defense Information Systems Agency chief technology officer.

He added that elasticity and scalability of any cloud system would be critical, but that the benefits of pooling resources could help avoid wasted capital.

For a cloud approach to work for cybersecurity, there must be a number of precautions and considerations taken before any action, panel members said.

Daud Santosa, chief technology officer at the Interior Department's National Business Center, said any cloud policy must align with both the mission and business IT systems – a tenet that sometimes seems to get lost in the zeal to implement new technologies and strategies.

“We have forgotten Computer Science 101 – we have to look back at the basic architecture, considering the complexities before we even begin,” Santosa said. “You must plan security at the beginning, not at the middle or end. And you have to balance the security risks with budget constraints, and that’s very difficult.”

Still, the move toward cloud solutions is a driver for federal IT, Santosa said.

“Cloud will force the future of software [requirements],” including the ability to scale quickly, he said.

Gus Hunt, chief technology officer at the Central Intelligence Agency, warned against the dangers of not getting cloud right. He said that any cloud solution must keep up with a changing threat landscape where the pace is increasing – and that a failure to keep up will result in real penalties.

He highlighted his top security maxims: that absolute security is impossible, people are the weak link and current methods are insufficient and unsustainable.

“You must assume you’re going to be had, and then maximize the opportunity,” Hunt said. “You can leverage cloud by embracing elastic computing…and turning it into a shell game for your adversaries.”

It’s a concept that is gaining traction on the international policy level, albeit slowly, according to Kevin Scheid, deputy general manager at NATO's C3 Agency.

He said that the 2007 cyber attacks on Estonia served as a cybersecurity wakeup call for NATO. Since then, NATO has been formulating exactly how to approach cyber warfare, he said.

“[The Estonia cyber attacks] was the first time NATO began to think about cybersecurity in the context of Article 5,” he said. (NATO’s Article 5 governs how allied countries respond to an attack on a member country of the NATO Alliance.) “It expanded the notion of cybersecurity and the military.”

Cybersecurity is now receiving increasing focus as the agency looks to transform in the 21^st century, Scheid said, though he acknowledged it’s a long process.

“NATO is deliberative, which is good…but it can be slow, which is bad,” Scheid said.