The Biden administration is moving forward with a plan to enhance cloud infrastructure security by requiring companies to collect personal information from users, despite intensifying backlash from executives at Amazon and other tech giants.
The White House says the proposed cloud security policy — dubbed Know Your Customer (KYC) — is crucial for disrupting hackers who use commercial cloud services to launch cyberattacks or as areas to lurk indefinitely to find vulnerabilities over time. KYC was part of the National Cybersecurity Strategy (NCS) released in March.
Government officials fought hard to keep KYC in the strategy, despite industry pressure. This week the tension increased again as major cloud providers made clear on Tuesday that they will fight back, criticizing the policy with a report co-led by Amazon that will be sent to the president.
Amazon Chief Security Officer Stephen Schmidt unveiled the recommendations in the report at a meeting of the National Security Telecommunications Advisory Committee (NSTAC), a White House advisory panel designed to solicit industry feedback on telecommunications policy. The committee includes representatives of Microsoft, Palo Alto Networks, Viasat and Comcast, among others.
Experts say KYC could cost the industry billions of dollars in administrative costs. Currently the cloud companies do not gather customers’ information when they sign up, largely due to the expense and logistical challenges of doing so.
A senior Biden administration official bristled at the report’s contents on Wednesday, telling Recorded Future News that “in most industries, responsible companies understand who their customers are, particularly where there is a chance those same customers can abuse their services for nefarious purposes.”
The NSTAC report comes as the government’s Cyber Safety Review Board is turning its attention to cloud security after thousands of government email accounts, some belonging to senior Biden administration officials, were breached in July by Chinese hackers who exploited Microsoft cloud vulnerabilities.
‘More harm than good’
According to comments made at Tuesday’s meeting, Schmidt co-authored the report with Broadcom CEO Hock Tan and significant support from Jordana Siegel, Amazon Web Services’ head of public policy for cybersecurity and data protection.
The report says KYC regulations would likely do ”more harm than good” and could substantially benefit Chinese cloud providers. It also argues that KYC could expand the identity fraud market, is “unlikely to be effective in addressing the actual threat” and would raise privacy concerns.
The hackers of greatest concern to the federal government — including those associated with nation-states — would easily work around KYC requirements due to their sophistication, the report argues.
The report, titled “Addressing the Abuse of Domestic Infrastructure by Foreign Actors,” also raises questions about how a KYC policy would cause “unintended consequences, including increasing friction with key U.S. allies, whose cooperation is critical in addressing global cyber threats.”
KYC would create “real and perceived” obstacles for private sector companies sharing threat information with each other and the government, the report asserts, citing “resource constraints” along with liability and privacy issues that the authors say will particularly disincentivize small and mid-size enterprises from investigating whether their networks are hosting harmful activity.
Among the report’s recommendations are a suggestion that the Office of the National Cyber Director develop a strategy for fighting abuse of domestic infrastructure (ADI) that “establishes a long-term, multi-faceted approach” as part of its implementation of the NCS and that the Cybersecurity and Infrastructure Security Agency and the National Security Agency create an “operational working group” with leaders from the private sector to focus on “enhancing tactical collaboration to address ADI.”
It also recommends that the government establish a “public-private task force” to guide technology providers in enhanced security practices, a framework that the report says could shape the implementation of KYC.
An Amazon spokesperson noted that Schmidt co-authored the report in his capacity as a member of NSTAC, “a body chartered to provide information and advice from industry experts to government.” The spokesperson also said the report “offers several recommendations that were approved unanimously by the NSTAC membership and will help protect against abuse of domestic infrastructure.”
The report’s recommendations were approved unanimously by the NSTAC membership, the spokesperson noted.
Schmidt this week emphasized Amazon’s place in the cloud security industry, telling the Washington Post that the company has a “net footprint larger than any other cloud provider,” and that the company has frequently “produced the pivotal component in a CISA advisory.”
Not a new idea
The Department of Commerce has been working for months on a proposed rule for implementing KYC. A spokesperson there declined to comment.
The KYC proposal dates to the Trump administration, which introduced an executive order to require the policy near the end of that term. The Biden administration has long supported the order and has said it expects it to be implemented.
“All service providers must make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior,” the National Cybersecurity Strategy says of KYC, citing the implementation of the original executive order.
“Implementation of this order will make it more difficult for adversaries to abuse U.S.-based infrastructure while safeguarding individual privacy,” the strategy asserts.
Former National Cyber Director Chris Inglis, who oversaw the development of the NCS, is known to be a champion of KYC requirements.
Mark Montgomery, who was executive director of the Cyberspace Solarium Commission, called the NSTAC report disappointing, saying it makes him wonder if “anyone who’s in this industry believes we need to have higher standards in cloud computing.” Inglis was also a member of the commission.
Montgomery said Inglis and other senior administration officials stood firm on including the KYC language in the NCS despite relentless industry pressure.
“It speaks volumes to the commitment of the administration to KYC that it maintained its position in the strategy, despite all the industry pushback,” Montgomery said. “I’m glad the administration had the wherewithal to stand up to the lobbying effort when writing the national strategy, and I hope that same logic applies as they read this NSTAC report.”
Montgomery noted that cloud service providers will play a vital role protecting critical infrastructure going forward, making KYC all the more important.
“They’re more and more critical to the security of utilities and medium and large businesses and if we can’t have a guaranteed level of security, it’s going to be a problem,” Montgomery said of the cloud industry. “And I worry when I see a report like this, because it makes me think that it’s going to be hard to tell the cloud computing industry to do anything.”
Part of a broader effort?
Even cybersecurity experts who believe KYC has flaws see it as a good first step in attacking a significant problem. Bryson Bort, the founder of SCYTHE, a startup building what it calls a next-generation attack emulation platform, said via text message that “like anything at scale, it [KYC] adds a step, but doesn’t unilaterally solve it.” Bort is also co-founder of the ICS Village, a nonprofit advancing awareness of industrial control system security.
Implementing KYC would be very expensive for cloud companies, according to Michael Daniel, who is president of the nonprofit Cyber Threat Alliance and a former senior Obama administration cybersecurity official.
Daniel said that when the financial services industry implemented its own KYC requirements after the 9/11 terror attacks, it cost the industry billions.
However, he added that such investment may be merited since “clearly there are national security concerns” inherent to “bad guys making use of U.S. cloud infrastructure.”
The question, Daniel said, is how to best secure the cloud and whether there may be less expensive ways than a KYC regulation.
“Are there alternative methods for identifying fraudulent malicious use of accounts that would accomplish the same goal, but maybe cost less or have fewer privacy implications or require the cloud providers to store less information about people?” Daniel asked. “You’ve got to make sure that the outcome is going to be worth the cost and the burden that we’re going to put on the cloud service providers.”
No previous article
No new articles
Suzanne Smalley is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.