Should Amazon, Microsoft, Google and Other Cloud Companies Face More Government Oversight? | #cloudsecurity


Cloud-computing services are so ubiquitous that it’s hard to fathom modern life without them.

Take a photo on your phone and it is zapped to a cloud service for storage. Order shoes online, book a hotel room or stream a TV show, and the transaction likely takes place in the cloud. Moreover, thousands of companies and government agencies use cloud computing to run their core internal software and databases.

So when cloud services go down due to a technical malfunction—or get hacked or infected by a virus—millions of consumers and corporate customers can suffer.

In one of the largest-ever corporate attacks, dubbed Cloud Hopper by security experts, hackers gained entry to scores of companies’ data by breaking into at least a dozen cloud service providers used by these companies. The hackers, linked to China, stole reams of intellectual property, security-clearance details and other records over several years, The Wall Street Journal reported in late 2019.

Yet the companies that provide cloud services—

Amazon.

AMZN -2.22%

com Inc.,

Microsoft Corp.

MSFT -2.41%

and

Alphabet Inc.’s

GOOG -2.15%

Google are among the largest—are lightly regulated compared with some other crucial industries, such as electric utilities, banks and airlines.

Should they face more government oversight? We put the question to three experts:

Matt Schruers,

president of the trade group Computer and Communications Industry Association;

Adam Conner,

vice president for technology policy at the left-leaning Center for American Progress; and

Sanjukta Das Smith,

chair of the management science and systems department at the University at Buffalo School of Management.

What follows are edited excerpts of the discussion, which took place over email.

Government’s role

WSJ: Do cloud-computing companies need closer government scrutiny?

MR. CONNER: Cloud services touch every aspect of American life and commerce. The significant and various cybersecurity, infrastructural and environmental implications of such services clearly merit increased government oversight.

SHARE YOUR THOUGHTS

Do you think cloud-services companies should be more heavily regulated? Why or why not? Join the conversation below.

An important role for the government is to consider systemic risks and put in place tailored regulations to ensure safety and soundness of important and ubiquitous infrastructural services—as they would for any other critical physical infrastructure.

MR. SCHRUERS: Cloud-based services are already subject to considerable regulation at the state, federal and international levels. The question isn’t whether these services should be regulated, but whether they should be regulated even more than they already are. No such case has been made. Calls for more need to demonstrate that the incremental benefit of more intervention outweighs the burden on public and private consumers of cloud services.

PROF. SMITH: Looking at this issue from the consumer’s side, there is a related matter to consider, which is a lot more nebulous, and that is trust. Using any cloud-hosted service requires a fairly high degree of trust on the part of the consumer. Think about money matters, identity theft, etc.

It may be in the interest of business to collaborate with the government in coming up with future regulations so that trust in such services doesn’t become too much of an obstacle and thus affect market success.

One size fits all?

WSJ: What are potential downsides, if any, of greater government oversight or regulation?

MR. SCHRUERS: Cybersecurity isn’t a one-size-fits-all proposition. Just as not every driver requires a race car, not every consumer of a cloud-based service needs or can afford the level of resilience required by the Pentagon. Imposing that resiliency standard on every vendor for every use case would price individuals and startups out of the market for these services, and make small vendors less competitive relative to large incumbent firms.

We shouldn’t forget that government fiat isn’t the only way to regulate. Government procurement standards already steer what the market provides, because vendors seeking government contracts must offer that level of resiliency. And governments can always choose to condition new funding on implementing new industry consensus standards and best practices. The power of the purse can be effective, and potentially more efficient, than additional regulation.

PROF. SMITH: If we look at the cloud-computing companies themselves, we are dealing with an oligopolistic market. These are large, powerful entities that have a lot of negotiating power, stemming from their market and economic influence. I don’t think regulations are going to stifle innovation in such large firms, even if we are talking about regulations that specifically target or raise the work burden in these companies.

MR. SCHRUERS: I often point to the “GDPR effect”: Following the implementation of the EU General Data Protection Regulation [in 2018], there was a sudden, observable concentration in web vendors. Larger, more established firms had the infrastructure to meet the new compliance burden, whereas smaller firms either voluntarily exited the market, or lost out because their customers weren’t as confident in their compliance programs. Brussels set out to get big firms, but wound up doing the opposite.

The lesson is that any time we impose a regulatory hurdle on a sector, it runs the risk of stifling smaller competitors who can’t meet the new compliance cost. That’s one reason why heavily regulated industries tend to be more concentrated.

MR. CONNER: If we focus on cloud-based online infrastructure, as Sanjukta correctly points out, there are only a few companies in an oligopolistic market. That level of concentration also presents a tremendous vulnerability. Outages in the largest cloud service providers over the last few years have had significant costs for businesses and consumers. It is becoming clear that these few services are a new form of critical infrastructure.

Matt pointed out that government procurement standards can help raise security standards. But commercial customers, not government entities, are where a tremendous amount of these critical services and sensitive information exist in the cloud. The last few years have shown the limits and vulnerabilities left by many of our voluntary standards in the commercial sector.

What we have now is a concentrated market that is also unregulated, seemingly leaving little downside to considering regulations for at least the largest gatekeepers in the space. Additionally, some proposed regulations can also improve competition and lower the cost for competitors to enter the space, which is a worthy thing to consider.

Global annual revenue for cloud infrastructure

Cloud infrastructure market share, 2020

Global annual revenue for cloud infrastructure

Cloud infrastructure market share, 2020

Cloud infrastructure market share, 2020

Global annual revenue for cloud infrastructure

Global annual revenue for cloud infrastructure

Cloud infrastructure market share, 2020

Global annual revenue for cloud infrastructure

Cloud infrastructure market share, 2020

WSJ: If you favor more government oversight, what behavior or situation would it target and how? For instance, should cloud companies be required to report breaches?

PROF. SMITH: I would like to see more government-mandated consumer protections when the consumer suffers from inadvertent or negligent actions of companies. Think about the average consumer whose credit rating has been devastated by identity theft stemming from a cloud security breach. A credit-monitoring service is usually offered in these cases, and that is a good start.

Thankfully, actual new-account fraud (the most egregious form of identity theft) is a very small percentage of the cases resulting from security breaches. But the damage done to an affected household is usually quite overwhelming. Think about the imbalance in the resources available to an individual working to restore his wrecked identity vis-à-vis the companies that the individual might be fighting with. Classic David vs. Goliath.

Security breaches must be reported. And this is where the consumer-protection issue comes into play.

I like the idea of delineating [security levels] by online service category. As Matt pointed out, not everyone needs Pentagon-level security.

MR. SCHRUERS: Procurement agencies can and do require suppliers to meet various consensus industry benchmarks for security and robustness. When it comes to standards, there’s well-established bipartisan public policy that the federal use of standards should be industry-led, characterized by openness, balance and due process.

A comment on breach reporting: Most states and the [EU General Data Protection Regulation] have some form of breach reporting already. One challenge is whether companies should report before they’ve diagnosed and remedied the threat, lest the report of the breach compound the injury by flagging to other adversaries the existence of an unresolved vulnerability.

Similar challenges confront mandates around disclosing what security software and systems a company deploys: Is this helping consumers make informed decisions, or just arming adversaries with more information?

At the same time, we want companies providing the information that governments and customers need to make reasonably informed decisions. Certifications play a valuable role here. For example, consumers trust UL-certified electronics without knowing precisely what tests Underwriters Laboratories conducted to make that certification.

Other means of protection

WSJ: If not by regulation or increased government oversight, how could one ensure that cloud suppliers don’t increasingly become victims of cyberattacks?

PROF. SMITH: I’m not sure if regulations are the best engine—regulations are great for working with known and well-understood threats. Not so much with emerging threats.

I think the best bet would be for the industry to partner closely with academia and the military in supporting joint research programs, perhaps starting with doctoral programs in computer science, information technology and information systems. This is an area where such collaborations make sense because national-security interests are at play.

MR. SCHRUERS: Another step policy makers can take is to not impede the private sector from making their services safer. The widespread use of encryption is a critical means of preventing and deterring network-based attacks. Unfortunately, some law-enforcement constituencies demand that digital services put their encryption keys under the doormat—as if adversaries don’t know to look under the doormat too.

Additionally, half of prevention is deterrence. The private sector can take actions toward risk management and mitigation, but only the government can achieve global deterrence. So, while the business community hardens defenses against the many advanced, persistent threats we confront, nation-state level threats need to be met by the government.

MR. CONNER: I think both government and private actors have a responsibility to protect Americans from cyberattacks. I believe we need oversight and regulation. But we also need businesses to invest sufficiently to protect against attacks. I’ve worked in several Silicon Valley startups, and very rarely do internal calls for more security win out of over those pushing for faster innovation, sometimes with disastrous consequences.

Weighing their scale

WSJ: Some say that market-share concentration among cloud players is a good thing, or at least unobjectionable, because it takes vast scale to afford the financial and technical resources to protect data from sophisticated attacks. Do you agree?

MR. SCHRUERS: We have to remember that concentration is an indirect indicator. Policy makers shouldn’t be in the business of arbitrarily determining the optimal size of a company. They should be tracking the indicators that matter to consumers: price, quality, innovation.

An industry can concentrate and become lethargic and rent-seeking, but concentration can also produce efficiencies of scale and scope. This is why it’s essential to look at concentration alongside more direct indicators, like price, quality, productivity and R&D.

PROF. SMITH: For me, concentration of market share is neither good nor evil, in and of itself. What is the company doing with that market concentration? This is where the culture of the company matters, and goes back to the matter of trust that I began with—it takes time to build and moments to demolish.

Regulations cannot build a healthy corporate culture. But regulations can perhaps work to discourage temptations to extract higher revenues [from consumers] without adding value, creating instruments that make the lock-in problems worse, etc. Coming up with these types of regulations is a difficult problem—with the danger of unintended consequences.

MR. CONNER: The high concentration in a few online infrastructure services certainly has benefits in terms of security expertise and resources. But concentration also creates vulnerabilities as it allows adversaries to more easily focus all of their efforts on a handful of services. A concentrated market lacks the resiliency of a pluralistic one.

Additionally, commercial cloud products often offer additional security features at a significant premium, meaning that many business consumers may choose the cheaper options with greater security risks—thus eclipsing the purported benefits of a concentrated market.

Finally, concentration in online infrastructure services creates the potential for other types of abuse of business users and consumers: from putting in technical and monetary barriers to removing data from these services to giving preferential treatment on their other online services for their customers.

Antitrust considerations

WSJ: Should cloud services be under stricter watch for possible noncompetitive practices, such as tying their cloud services to other products they sell, such as remote software access and website management?

MR. SCHRUERS: I become wary anytime policy makers target specific firms for scrutiny. As we saw with Nixon’s interference in the ITT case and the Trump misadventure in

AT&T

-Time Warner, antitrust can be a potent weapon against political opponents. Competition decision-making shouldn’t consider noncompetition factors. The [Justice Department’s] Antitrust Division isn’t the place to formulate cybersecurity policy.

MR. CONNER: I think it is important to note that the competition we do see in the online infrastructure services sector has only been because a few tech giants have been able to vastly cross-subsidize the huge capital requirements to build out these services. Smaller players that solely focus on serving the online infrastructure market have struggled to match this.

Congress has the opportunity to take an important step to end the unfair self-preferencing practices that are sadly now commonplace. The nondiscrimination bill that passed out of the Senate Judiciary Committee with an overwhelming bipartisan 16-6 vote takes important steps to prohibit gatekeeping entities from self-referencing their own services and will ultimately improve choice for consumers. A similar bill passed last year out of the House Judiciary Committee. Passing this bill is an important step toward unleashing the next cycle of innovation and leveling the playing field.

MR. SCHRUERS: I note that [this legislation] isn’t a security bill, and was obviously not drafted with security in mind. One reason multiple Senate Judiciary members expressed concerns about the bill—including supporters—is the security implications of compelling leading digital services to interconnect and share data with adversary-backed rivals. And we cannot ignore that supporters of these bills have made clear they are gerrymandered around Amazon,

Apple,

Google, and Meta. No serious approach to cloud infrastructure security excludes Microsoft,

IBM

and

Oracle.

Mr. Ziegler is a former Wall Street Journal reporter and editor. Email him at reports@wsj.com.

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8



Original Source link




Leave a Reply

Your email address will not be published.

26 − twenty one =