The Attack on Treasury: Cloud Computing and the Implications on Cybersecurity

As many as three U.S. Treasury websites were hacked to attack visitors with malicious software. The sites belong to the Bureau of Engraving and Printing. Visitors were redirected to a Ukrainian website that, according to Computerworld, then launched a variety of Web-based attacks based on a commercially available attack-kit called the Eleonore Exploit pack. All three sites showed a "page not found' error yesterday morning. The problem was discovered by security vendor AVG.

In an explanation, Treasury issued the following statement:
"The Bureau of Engraving and Printing (BEP) entered the cloud computing arena last year. The hosting company used by BEP had an intrusion and as a result of that intrusion, numerous websites (BEP and non-BEP) were affected. On May 3, the Treasury Government Security Operations Center was made aware of the problem and subsequently notified BEP. BEP has four Internet address URLs all pointing to one public website. Those URLs are; BEP.gov; BEP.treas.gov; Moneyfactory.gov and Moneyfactory.com.

BEP has since suspended the website. Through discussions with the provider, BEP is aware of the remediation steps required to restore the site and is currently working toward resolution".

Will this stop the government from its commitment to cloud computing ? More importantly, should it ?

The FY 2010 budget request, boldly went where no President had gone before - into the brave new world of cloud computing. The section of the budget document that mentions cloud computing, Cross Cutting Programs, talks about the benefits of cloud computing and the pilots that will be carried out in selected federal agencies, saying "Pilot projects will be implemented to offer an opportunity to utilize more fully and broadly departmental and agency architectures to identify enterprise-wide common services and solutions, with a new emphasis on cloud-computing."

In terms of managing cloud computing, GSA, under the direction of CIO Casey Coleman, is the agency that has been designated by the Vivek Kundra to lead the federal cloud computing program. This federal working group is building on the IT Infrastructure Line of Business (ITI LoB) initiative. Several different agencies are represented in the Federal Cloud Computing Working Group.

Last year, when we talked to Peter Tseronis deputy CIO of DOE, who is also quite active in the federal cloud computing initiative, Pete accepted that there may be risks in cloud computing but that it did not mean that we should abandon it. He said "Risk mitigation needs to be a part of any cloud computing strategy. The risks associated with cloud computing are the same risks associated with any investment in technology. We can manage it by using firewalls, encryption, authentication, VLANs and other devices at our disposal. In addition, regulatory compliance will drive implementation. Securing the cloud computing perimeter is important, yet we need to acknowledge that the greatest risk to penetration resides within the perimeter.

The advantages of cloud computing are many and it is easy to see why, in a time of budget pressures, the government has chosen to get into cloud computing in a big way. Among others, the advantages include smaller capital investments in infrastructure, and allowing for a pay as you go model, thus allowing the government to avoid getting tied into one vendor. The overhead costs associated with hardware and software upgrades are also minimized. Availability of computing resources across agencies is increased, thus providing scalability. At the same time we have had a number of missteps recently blamed on cloud computing, such as the Gmail outage. At that time CTO of Cisco, Padmasree tweeted "Gmail down? Hard to imagine this in critical Enterprise or Public sector apps. Need secure Clouds with SLAs=role of the Network". Google and other vendors in the arena of cloud computing have been pushing the private and public sector to make use of the cloud through their products like Google Chrome and Google Docs.

Cybersecurity is obviously a priority for this government, and we had discussed earlier, at some length, the various cybersecurity initiatives that the government is engaged in. President Obama has made it clear that cybersecurity was going to be a priority for his administration. He said "Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy and resilient. We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage." Around the same time, following a 60-day review of US cybersecurity status and issues, the White House released details of a short-term action plan called the "Cyberspace Policy Review, Assuring a Trusted and Resilient Information and Communications Infrastructure". The report acknowledged that the status quo in cybersecurity could not be maintained and outlined priority areas for immediate work. Cybersecurity in a cloud environment is obviously a critical area that the government needs to review, particularly given that there could been an argument that cloud computing increases your vulnerability to cyber threats.

A safer model to use may be that of DISA. DISA's Rapid Access Computing Environment (RACE) is a well-regarded cloud computing pilot. In this case, there is a "fee for service," where a customer comes to DISA and pays for services provided. RACE is therefore a shared services cloud that gives DISA customers on-demand, self-service access. RACE is located in one place (within DISA) unlike many cloud computing platforms but customers get a full range of options that are available to cloud computing clients.

The budget pressures that are facing the Government today will not go away. The cloud computing environment has proved that it has much to offer not just in terms of efficiency and low costs, but also in terms of technology - such as potentially higher scalability. The Treasury incident demonstrates not the need to move away from cloud computing but rather is a warning that we should explore the best models for federal cloud computing, and learn how to best balance the twin priorities of cloud computing and cybersecurity.