The federal government currently has few tools to deal with a major cloud services disruption. NPR's Steve Inskeep talks to Marc Rogers of Q-Net Security about the White House looking to change that.

Transcript

STEVE INSKEEP, HOST:

Your federal government says there is a special vulnerability for many American institutions in the cloud.

(SOUNDBITE OF THUNDER CLAPPING)

INSKEEP: No, no, no, no, no, no, not that kind of cloud. We're talking about the internet. In his new cybersecurity strategy, President Biden identified cloud security as a major threat. Officials talk of a variety of changes and reforms, including the possibility of requiring cloud service providers like Amazon and Microsoft and Google to try to verify the identities of their users to make it harder for foreign hackers to do what they do. We called up Marc Rogers, who is a, quote-unquote, "ethical hacker" and chief security officer at Q-Net Security. Rogers helped us explain where the cloud is.

MARC ROGERS: So the cloud is on-demand computing that's hosted in data centers all over the world, connected to the internet, that often replaces software products you may have traditionally run on your PC or home office.

INSKEEP: I think that I know someone who has physically seen the cloud, and it seems not actually to be on a cloud. My brother works for various tech companies and has visited a bunch of those data farm server farms across the country. That's where it is, right?

ROGERS: Yeah. Absolutely. And we have a saying in cybersecurity that is, there is no cloud. It's just somebody else's computer.

INSKEEP: Well, I'm thinking about the upside and downside of that. I suppose the upside is all the information is copied out there. The downside is all the information is copied somewhere else that's not close to me.

ROGERS: Yep. That's exactly it. Between cloud and open-source software, we've probably seen the greatest democratization of innovation since computing began. So all these wonderful services that you can access online are largely driven by the cloud and how easy that makes stuff happen. But on the flip side, it's running on somebody else's computer. And so you're entirely dependent on how well they make sure their overall system is secure and the policies and processes they have in place.

INSKEEP: What are some of the ways that someone could attack the cloud generally, or some part of it, some data farm somewhere?

ROGERS: So one of the biggest risks is when software was running on your PC at home or in your office, it was a single target - so may or may not have been particularly attractive to threat actors, depending on what your business is. But when you put it in the cloud and suddenly you have a million of those all in the same place, you've got a basket of golden eggs that attracts a lot of threat actors. So that's the first challenge, is that the cloud becomes a very attractive target. The second challenge is you don't really get to see how they build their environment. And so as we've seen in quite a lot of the big breaches that happen, they're often, you know, missed steps in terms of good security practice. And there are vulnerabilities just like you would find in your software running at home that exist in the cloud. But you don't get to see that because it's up to the cloud service provider to maintain it.

INSKEEP: You referred to breaches that happen. Give me some case histories here. What's an example of the cloud or a portion of it being exploited, broken open or taken down?

ROGERS: Well, I mean, it's unfortunately all too common. So if you do a search for any large breach that's happened in, I don't know, just the last six months and you see big company names like Microsoft, Google, LastPass, all of those are cloud security breaches.

INSKEEP: Is United States government information vulnerable in this way?

ROGERS: Yes. Unfortunately, it is. If you read the recently released National Cybersecurity Strategy, it talks about the cloud, it talks about critical infrastructure, and it talks about much more proactive ways that they're going to defend forward in protecting this stuff. So the government is aware, but, at the same time, the government is also seeing the cloud as a way to get away from a lot of the legacy problems they have. There's a lot of really old computing in federal space. You know, there are agencies that are using systems that are decades old, well out of date, and that need to be replaced. And the cloud is an attractive way for them to lift all that stuff up and update it at minimal cost. But the problem is, if you do that without taking into account what I said before about the other risks that are created, you're potentially creating a whole new set of problems.

INSKEEP: I want to remind people that you're described as an ethical hacker. Companies hire you to try to hack systems, so they can know how it could be done and guard against it. Have you hacked into cloud computing systems?

ROGERS: I have. It's hard to describe the kind of systems that I've been into without disclosing things that I'm supposed to be keeping in confidence. But I can talk about some things that I've done publicly.

INSKEEP: Sure.

ROGERS: Probably the most well-known one is I hacked the Tesla Model S back in 2015. And you may ask, what does a car have to do with the cloud? Well, the Tesla Model S is a cloud-connected car. So it talks up through the internet, through telecom services, to the private cloud that Tesla runs inside their facilities and sends a lot of data up there. By hacking the car, I was able to then break into that infrastructure and gain access to the factories and other information. So that's one of the challenges that the cloud has, is often the things that connect into it become the weak points. So all those IoT devices out there that are cloud-connected can become areas of vulnerability that can allow someone into that cloud and gain access to it.

And we never truly know exactly how much data these things are collecting. We've seen, now, things like vacuum cleaners, like the Roomba that are - have cameras on them and that record footage of your house. We wear wearables that record medical information and store that in the cloud. So often, breaking into something as innocuous as a footstep tracker can lead to some very significant information about you being taken out and passed into the hands of hostile threat actors. It's really good that the government is talking about this problem because they're shining a spotlight on what has been, until now, sort of an area that hasn't had enough focus, I think. There's been a lot of focus on how the cloud can save us and not enough focus on the risks around the cloud.

INSKEEP: Marc Rogers, it was a pleasure talking with you. Thank you so much.

ROGERS: Thank you very much for having me.

(SOUNDBITE OF SONG, "THUNDERSTRUCK")

AC/DC: Thunder. Transcript provided by NPR, Copyright NPR.