Monday, July 12, 2021
Cloud computing is a powerful technology that is now breaking out into the mainstream, more than a decade since launching in 2006.

In a recent report published by the Information Technology & Innovation Foundation (ITIF), I show how cloud lowers costs, creates technical and business agility, and enables innovation and digital transformation. Interestingly, Irving Wladawsky-Berger posted a blog building on the ITIF report emphasizing that cloud can also improve cybersercurity,” Leveraging Cloud Computing to Enhance the Nation’s Cybersecurity.” 

Government and industry have taken multiple actions to improve cybersecurity that have helped but, as SolarWinds, meat giant JBS, Colonial Pipeline, and many more cyber-breaches show, are not yet succeeding. We need to do something different. The common assumption embedded in many prior efforts is that we can educate and train millions of organizations across the country to protect themselves. Yet, most of these organizations lack sufficient resources, skills, and incentives to fully protect themselves. 

This is problematic for the government and the thousands of companies that provide public services (banking, energy, transportation, etc.) that make up the US critical infrastructure. Past decades’ efforts have shown that trying to get every organization to do all the many things needed to be secure is not practical and is not succeeding. That approach doesn’t scale. 

We need a better way. Cloud computing is a platform that provides advanced security at scale. Similar to how we rely on specialist providers to build a house or on a bank to protect money, we can use the cloud to provide better cybersecurity. It’s not enough to shift the responsibility to an expert cloud provider. Across many industries, the government sets standards, rules, and best practices. Specialist providers—in this case cybersecurity—must meet the rules, be licensed to perform them, achieve certifications so the public can trust them, and pass regular inspections. The cloud is not a panacea, but can substantially improve the US cybersecurity posture and ability to respond to the inevitable attacks. 

How cloud can help improve our security posture. Cloud providers take responsibility for protecting much of the IT infrastructure including networks, data centers, and physical infrastructure (servers, storage). They also protect and managecritical software infrastructure like operating systems and databases. Many of the world’s most security conscious organizations take advantage of cloud security and are heavy cloud users, like banks, governments at all levels, and intelligence agencies (CIA). 

• First, cloud providers have substantially more resources, investing billions of dollars a year in cloud security. 

• Second, cloud providers have developed substantially more cybersecurity best practices, tools, and people-expertise. 

• Third, cloud is a consistent platform with security “built in by design” that provides services including: zero trust through identity and access management, multi-factor authentication, encryption, network segmentation, logging, and continuous monitoring, among others. Just as important, the cloud provides common software development, deployment, and change management tools. Cloud also integrates securely with on-premises infrastructure in a “hybrid” approach. Cloud can automate and manage security at scale, detecting, responding, mitigating damage, and recovering from cybersecurityattacks. 

• Finally, cloud providers have massive incentives to provide strong security. A breach or downtime has tremendous financial and reputational costs that go to the core of their business model. As a result, they have built fault-tolerant architectures with independent regions and redundant availability zones. The cloud has outages too, but few of them and provides back-up and recovery.

Business and governments obtain better security, lower risk, and can focus on their core competencies. Cloud customers have a much smaller environment to protect: their “attack surface” is much narrower. Customers can focus on their critical data, apps, and their network connections to the cloud. This enables them to focus more on their business or mission. In addition, government regulators can more effectively work with a relatively small number of large, skilled cloud providers to implement required security technologies, and inspect and certify them.  

Cloud is not a panacea. Cloud has a “shared” security model where the cloud provider has responsibility for the cloud itself, and the customer has responsibility for what they put in the cloud (e.g., appsand data) and how they connect to the cloud. This puts a premium on clear roles and responsibilities between the cloud provider and customer. In addition, the cloud itself will be subject to increasing cyber-attacks and the risk is more concentrated in a handful of providers. However, similar to the way we rely on banks to protect financial assets, we rely on cloud providers to protect data assets and IT.  

More needs to be done. In my report, I call for a cloud government-industry cybersecurity collaboration program, and for simplifying and automating compliance, among other actions. The May 12 cybersecurity executive order calls for a federal cloud cybersecurity strategy and takes several important steps. Yet, more needs to be done. The President has stated that Cybersecurity is “a top priority and essential to national and economic security.” The time has come to make cybersecurity more than voluntary, and make a commitment commensurate with cybersecurity’s importance.

The May 12 order requires mandatory reporting of cyber-security breaches, at least for federal contractors. Should cybersecurity actions be required for critical infrastructure providers above a certain scale, e.g., for banks, electric utilities, transportation companies, and others? For example, after the great recession in 2008, financial institutions deemed systemically important were required to pass “stress tests” and share buy-backs and dividends were limited. Industry regulators (e.g., Federal Reserve, FERC) have started to incorporate cyber risk into their operational reviews. Industry self-regulatory organizations already develop standards and safety codes (electrical codes, building codes, financial broker-dealer safety) that the government then requires. There are multiple ways to implement cybersecurity requirements. Banks, electric utilities, and other critical infrastructure providers could try to do it themselves, form industry consortia to provide these services (e.g., Sheltered Harbor for banks), or use the cloud and leverage their security capabilities and certifications. 

Rationalizing cybersecurity guidelines will help provide clear requirements and best practices. Continuous monitoring will also be needed, with regular inspections, just as we inspect security at banks and airports. To maximize effectiveness, the government could provide partial funding, public certification badges, or perhaps limit liability for providers who have met the highest cyber requirements. 

We are moving to a digital economy to generate economic growth, well-paying jobs, and improve social equity. We need to ensure the digital economy is secure and sustainable. Cloud can help us get there.


Image courtesy of kibsri at