Should the United States base its national cyber security strategy around commercially offered “cloud computing,” as many are suggesting? 

The computer industry is aggressively promoting the advantages of moving our data and applications to big, fast server farms reached seamlessly through portable wireless devices anywhere in the world.  But all too often the bright shiny aspects of new technologies obscure how investing massively in those technologies strongly constrains future choices.  Moving to the cloud as a national security choice should be questioned in three main areas: centralization, breadth of risk, and resilient alternatives neglected.  

First, the key question is not centralized or not, but how is the cloud structured institutionally and technologically to be able to disrupt any conceivable or innovative kind of surprise attack? Centralization is a good or bad strategy according to what you expect as likely disruptive surprises to what you are trying to protect. Dragging everyone behind the big castle walls is great until the enemy brings up big honking cannon and blows the walls to bits. Or they dig under the walls at night and massacre the sleepers. Or they lure you into bringing in a really pretty, weirdly huge hollow wooden horse….and you get the picture.  

Conversely dispersed, disconnected but armored small units are great unless the enemy systematically tracks each one down and locally overwhelms them. Or you have to rapidly coordinate all them to do something different in some synchronized response to the enemy without letting the bad guys know where they are. Or you have to feed, maintain, refresh, train, or rearm all of them rapidly with too few headquarters folks ….and you get this picture as well. 

Furthermore, with centralization, who exactly gets to decide what to do when surprised or to dictate the preparations against surprise attacks? Who is our collective cyber cloud Czar – the Joint Chiefs of Staff, the chief financial officer ensuring the profits of the ATT cloud, or the clutch of IT designers whose own data or jobs are not actually at risk? So perhaps an automatic “Yes” to a centralized firm owning a bank of servers mysteriously protected with ‘trust me’ is really a question for wider debate. 

Second, how resilient internally is this ‘cloud’ to the bad actor who made it inside anyway or was already inside? Is the centralized cloud designed like an M&M with a hard shell and soft center, or is it concentric, dispersed, or otherwise stratified circles inside, each monitored, tracked, adjustable, and individually able to repulse and recover from an attack without loss? How well and who is ensuring that all the data are redundantly protected and stored encrypted so as to make harder a single WikiLeak-like windfall from insiders, or a massive covert extraction or logic bomb dispersal campaign by an unnoticed big peer state, or even a Stuxnet-like disruption and obfuscation attack? How structured and who is paying for the tradeoff loss in some efficiency to add security with slack in time (called ‘air gaps’) between discovery of the attack and the attacker scampering out with the jewels or destroying the system? Finally, how often, realistic, funded, and influential are continuous trial-and-error learning about the dynamic operations of this cloud in order to anticipate what is likely to be accessed, lost, or destroyed? Who’s checking and willing to increase operating costs for the resilience of the very complex overarching cloud?  

Third, what alternatives to growing a small set of meta internet service providers (ISPs) – giant telecommunications firm hybrids are not being considered because we accept the current cloud proposals as presented? The extraordinary blood on the sands competition to be the cloud services provider par excellence among these mega firms certainly signals that massive amounts of dollars are on the table to have one of the truly sweet monopoly positions. But they have not offered any more in terms in their assumption of liability if their efforts fail in taking care of the nation’s cyber protection business. Rather, if their proprietary efforts fail, the nation will pay three times for the experience. Not only will most of the nation have handsomely forked over without legal recourse if their ‘trust me’ is poorly structured, but national resources will pay to fix the mess, quality of life losses and danger to the critical systems and needs of the nation when all are legally dumped on the US government to clean up. Then more time, treasure, and risk will go into the ensuing scramble to find alternatives to what will have proven to be the unanswered questions about cybersecurity and a commercially provided national cloud.   

At the end of the day, the debate must come to ask what is the ‘national’ role in what would cumulatively be a putatively national meta-cloud built on this handful of ISPs? Who defends the interests of the whole system, those who will pay and pay again if the profit-takers cut corners, move data insecurely offshore, and then say sorry when security has lost to efficiency and market share? In the COTS cloud, who speaks for the nation?   

Chris Demchak is an Associate Professor at the US Naval War College and at the University of Arizona. The views expressed are her own and do not reflect those of the Navy or the U.S. government. This article is the fifth in a series titled Cybered Conflict.

Image: cyber_warfare.jpg