In the first congressional hearing on federal cloud computing on Thursday, representatives from government agencies and the private sector agreed that even with considerable security questions — particularly from risks posed by foreign nations — moving federal data storage from server farms to the “cloud” would be inevitable.
“If we don’t, as vendors, embrace cloud, we will be out of business,” Timothy Brown, a representative the private firm CA Technologies, stated flatly. “I think the same goes for government.”
As more and more people connect to the Internet and demand fast access to online data and applications, companies and government agencies have made this information more accessible through cloud computing. Through the cloud — a term for a system of data storage with resources such as software and applications shared over a network, instead of being kept on a physical server — organizations can place software and applications online, allowing people to access and use these programs through the Internet.
The hearing, held by the Homeland Security Subcommitee on Cybersecurity, was the first time Congress has examined the issue of cloud computing, which now becomes a federal necessity. Though several agencies have moved their services to the cloud, the Obama administration announced in July that they would begin an initiative to close federal server farms and move government data to cloud storage.
Pointing to systems like Gmail as examples, cloud advocates such as former White House CIO Vivek Kundra make a strong case that the cloud would increase government efficiency, reducing redundancies and allowing people to consolidate and share information and resources.
A move to the cloud, however, raises several security concerns, chief among them is a possible vulnerability to cyberattacks. In the past five years, attacks against government networks carrying sensitive information have risen by 650 percent, and the concept of a cloud storage system — accessible by anyone with a network connection — gave members such as Republican Rep. Dan Lungren pause.
As he put it, the key issue is creating trust among citizens, particularly given two completely different objectives: While users must feel that data is available and accessible, they also must be sure that it is secure. “If you move in the direction of cloud computing, you’re inevitably creating a target-rich environment,” said Lungren, who is chairman of the subcommittee. (RELATED: Homeland Security recruits jittery coffee drinkers to spot terrorists)
Representatives from government agencies on one panel identified multiple challenges for the future migration of information to the cloud, agreeing that it was an inevitable move, from both a cost and efficiency standpoint. However, they cautioned, the federal government needs to be aware of standardizing information and protocols, as well as providing a framework for “consistent monitoring” of who is accessing what information.
They particularly questioned the involvement of foreign companies in building these cloud networks, taking issue with one particular company contracted by the Department of Homeland Security. CGI Computing, an American firm owned by a Canadian company, was contracted to move secure information from DHS servers to an easily accessible cloud.
Richard Spires, the chief information officer from DHS, insisted that they took proper preemptive actions, ensuring, for instance, that all contractors were U.S. citizens unless waived.
At the end of the day, the company that provided the strongest protection would be chosen, according to Greg Wilshusen, a representative from the Government Accountability Office. “This firm,” he insisted, “won this particular test.”
The primary issue for most lawmakers, however, is whether classified information should even be accessible on the cloud, given the prolific and hidden nature of cyberattacks. When asked if certain agencies should refrain from using cloud networks — with Democratic Rep. Yvette Clarke wondering if this would always be the situation — panelists, though firm on keeping that information away from a public cloud, responded with“never say never.”
“It’s going to be quite a while before we feel comfortable placing classified information into a private cloud environment,” said David McClure of the General Services Administration.
Ultimately, the solutions of securing cloud computing must continue to adapt and develop, and all computer users — from the federal government to the average citizen — need to “dispel the myth that there’s a magic control or formula we can put in place” to create open, yet secure, networks, warned McClure.“Security is an ongoing exercise.”