The Future of “Clean Cloud”

Michael Garcia is a Transatlantic Digital Debate fellow at New America’s Open Technology Institute and the Global Public Policy Institute and a former staffer on the U.S. Cyberspace Solarium Commission.

A week after signing executive orders to ban TikTok and WeChat, President Trump intimated that he could target other Chinese companies, like Alibaba. Such a move would align with the State Department’s recently issued “Clean Network Program,” the Trump administration’s most comprehensive statement of its plan to rid the United States of Chinese technology and decouple the two economies. Building off of the Trump administration’s approach to 5G, the program details five lines of effort (Clean Carrier, Clean Store, Clean Apps, Clean Cloud, and Clean Cable) to protect the United States from national security threats, specifically from China. Of these five lines, Clean Cloud will become increasingly central given the importance of the cloud to U.S. national security.

The U.S. economy is now dependent on the cloud. Fortune 500 companies like Facebook, Verizon, and Netflix, rely on cloud providers, like Amazon Web Services, and cloud spending has contributed nearly $214 billion to the U.S. GDP and supported 2.15 million jobs in 2017. A report found that a three-to-six-day outage of a major provider could cost up to $15 billion in losses. Also, of the over fifty functions that the Department of Homeland Security has deemed vital to national security, economic security, and public health and safety, nearly all of them rely on cloud service providers.

The growing dependence of U.S. firms on the cloud has not gone unnoticed by Chinese hackers. During a campaign known as “Cloud Hopper,” hackers associated with the Chinese Ministry of State Security infiltrated eight providers, including IBM and Hewlett Packard Enterprises, and were able to “hop” into their clients’ systems to steal corporate and government secrets.

The threat to U.S. data is not only from Chinese hacking operations. If Chinese cloud providers gain market entry in the United States, they could be compelled to cooperate with government intelligence efforts under Chinese law. Consequently, American data would end up in the hands of China’s Ministry of State Security through legal coercion. While China’s largest cloud provider, Alibaba Cloud, has only two data centers in the United States and less than 10 percent of the global market share for cloud services, they announced a deal this summer to tap into nine additional data centers in the United States.

One response to Chinese targeting of U.S.-based cloud service providers would appear to be for policymakers to raise cybersecurity standards through regulation or voluntary frameworks like those created by the National Institute of Standards and Technology (NIST). However, this approach has proven difficult in the past—The NIST Cybersecurity Framework is reported to be adopted [PDF] by only 50 percent of U.S. organizations. The U.S. government has explored a multitude of ways to incentivize better cybersecurity practices among cloud providers, yet with Congress preoccupied with other fiscal matters, it could be a long time before they approve significant financial incentives for cloud providers to improve their cybersecurity.

Even if policymakers get incentives right, they still have to decide what they are going to do about “untrusted” Chinese providers. With Americans’ opinions of China at an all-time low, U.S. government efforts to denounce Chinese tech products, and China’s limited cloud-market capture in the United States, U.S. leaders will take measures to be seen as tough on China. Through the Clean Network Program, they could copy the playbook used for Huawei and ZTE and ban Chinese cloud companies. Alibaba Cloud, for example, will become an easy target due to its documented ties to the Chinese government. Regardless of policymakers’ intent, benefits could be gained through the Clean Cloud program. However, they should consider important lessons from U.S. efforts to “clean” 5G-telecommunications equipment.

First, the policies created in the name of securing 5G tended to be ad hoc with little forethought of how all the pieces fit together. Although President Trump eventually signed the law creating the National Strategy to Secure 5G Implementation Plan in March, it came after a series of executive orders and policies were implemented. Thus, policies dictated the 5G strategy rather than strategy informing policy. This time around, policymakers should first develop a cloud security strategy by consulting the public and private sectors about how to retain a robust and innovative cloud marketplace while preserving national security.

Second, policymakers will need to decide who will regulate and monitor the activities of untrusted providers. When tackling this question for 5G, Congress and the Trump administration created and tasked a host of bodies with ostensibly the same mission but did not detail how they would interact with each other nor establish their appropriate lanes. These included the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector, the Communication Technology Supply Chain Risk Management Task Force, and the Committee on Foreign Investment in the United States (CFIUS), among others. For cloud, policymakers should leverage existing entities, like CFIUS or DHS’ National Risk Management Center, and determine if their mandates need to be expanded to address cloud security, rather than creating something completely new. That entity, however, should ensure that it consults or coordinates with relevant agencies, such as the Defense Department, which could create cloud security standards for DOD contractors through its Cybersecurity Maturity Model Certification.

Third, the United States needs to increase its participation in technical standard-setting bodies, such as the International Telecommunications Union, to promote secure cloud standards. The U.S. Cyberspace Solarium Commission [PDF] found that “compared to its adversaries, the United States is not participating as much or as effectively in these forums.” However, with some of the largest cloud service providers in the world, it has much to contribute to discussions of technical security standards for cloud technology.

With cloud services underpinning nearly every facet of the American economy, the U.S. government should do everything it can to help secure them. Although politicians are increasingly tempted to target Chinese tech companies to be seen as tough on China, it is imperative that they establish policies that fit together strategically and encourage cooperation with the private sector and foreign partners.