The Washington Post and the Wall Street Journal reported on July 12, 2023 that Microsoft’s cloud computing system was hacked by a Chinese group called Storm-0558. The attacks were described as impressive and stealthy. The Microsoft cloud platform hosts commercial and government clients, including the US Defense Department.
According to what we know so far, which admittedly isn’t much, Chinese hackers got into the Microsoft cloud system in April and were able to operate there undetected until mid-June. In other words, for at least six weeks the Chinese spies had a free lunch at the expense of American security.
Chinese hacking of American cyber assets is nothing new. So far, despite strong efforts, the Defense Department and other government organizations (particularly the Department of Energy which is in charge of nuclear weapons) have been routinely hacked.
A clear example is that some 50 gigabytes of sensitive information on the F-35 stealth jet fighter was vacuumed up by China, making it far easier for them to design their J-20 stealth jet.
Unfortunately, what we know about is only the tip of the iceberg. It is difficult to discover hacking in the best of circumstances. Cloud and network operators also don’t want to know they have been hacked because they face losing billions of dollars in business. And the US government also does not want the public to know it has lost billions of investment dollars paid for by US taxpayers. Worst of all, US security always takes a hit when computer networks, including the cloud, are compromised
It is important to know that the latest compromise was completely predictable. Back in 2018 I served on a panel of experts at Hudson Institute. Our panel discussed the Pentagon’s then-plan to put all DOD data on a single cloud platform run by Amazon’s Jeff Bezos. In part thanks to the serious questions we raised at the time, the Pentagon finally backed off a single cloud data repository and opted for breaking up DOD’s cloud computing into a number of separate cloud contracts.
That decision helped, a little, in spreading around the risk, but it also introduced other problems.
For example consider that the Microsoft platform combines commercial with government data. Consider also that because the government data, in this case apparently emails, were not classified, stringent security rules requiring cleared personnel, did not apply.
The government’s division between classified and unclassified computing is phoney baloney. Lots of sensitive technology, for example, is unclassified. If that information gets into the hands of a bad actor, such as China, US national security is compromised.
DOD has come up with a new category called “Sensitive But Not Classified (SBU).” The idea behind it is to apply stricter disclosure rules for SBU information.
Unfortunately there is no rulebook that says how to identify SBU information. When it comes to emails that are ostensibly unclassified, there are no rules whatsoever.
- Trump and Ukraine: what Russia wants, what Trump could do - November 8, 2024
- North Korean troops in Kursk could backfire on Moscow, Pyongyang - November 1, 2024
- Secure enclaves: bad CHIPS Act idea wasting billions - August 12, 2024