foreignpolicy.com
Open in
urlscan Pro
192.0.66.136
Public Scan
URL:
https://foreignpolicy.com/2021/05/24/cybersecurity-cyberattack-russia-hackers-cloud-sunburst-microsoft-office-365-data-leak/
Submission: On November 08 via api from CH — Scanned from DE
Submission: On November 08 via api from CH — Scanned from DE
Form analysis 2 forms found in the DOM
GET /
<form role="search" method="get" id="searchform-mobile" class="searchform" action="/">
<label class="hide" for="searchfield-mobile">Search</label>
<input class="search" type="search" name="s" id="searchfield-mobile" aria-label="Search">
<input type="submit" value="search-submit" style="display:none" aria-label="Submit">
</form>GET /
<form role="search" method="get" id="searchform-desktop" class="searchform" action="/">
<label class="hide" for="searchfield-desktop">Search</label>
<input class="search" type="search" name="s" id="searchfield-desktop" aria-label="Search">
<input type="submit" value="search-submit" style="display:none" aria-label="Submit">
</form>Text Content
Skip to main content
Foreign Policy Magazine Foreign Policy Magazine
Account Management, Search, and Primary Navigation
* Sign In
* Give a Gift Give a Gift
* Subscribe Subscribe Upgrade Upgrade
* Latest
* News
* Analysis
* Podcasts
* The Magazine
* Newsletters
* FP Live
* Events
* FP Analytics
Search Icon
Search
LATEST
HOW TO SLOW CLIMATE CHANGE WHILE FIGHTING POVERTY
Falling aid budgets and ballooning debt in the developing world are impediments
to climate action. Green aid projects can bring poorer countries on board.
Argument | Rabah Arezki
THE UNITED STATES’ EASIEST CLIMATE WIN IS IN LATIN AMERICA
Washington has the money for Latin America's energy transition—if it weren’t for
the bureaucratic fine print.
Analysis | Benjamin N. Gedan
CONSERVATIVE U.S. STATECRAFT FOR THE 21ST CENTURY
Republicans may disagree on policy, but their principles will help the United
States navigate a fragmenting world.
Shadow Government | Nadia Schadlow
CHINA’S ZERO-COVID POLICIES ARE STIRRING XENOPHOBIA
Anti-foreign language has become part of disease control.
Argument | Amanda Florian
See All Stories
* FP Events
* FP Studios
* FP Analytics
* FP PeaceGames
* Subscription Services
* Group Subscriptions
* Reprint Permissions
* Writer’s Guidelines
* FP Guides – Graduate Education
* FP For Education
* FP Archive
* Buy Back Issues
* Work At FP
* Meet the Staff
* Advertising/Partnerships
* Country Reports
Account Management and Search
* Sign In
* Give a Gift Give a Gift
* Subscribe Subscribe Upgrade Upgrade
Search Icon
Search
Toggle display of website navigation
Argument: Russia’s Hacking Success Shows How Vulnerable the Cloud Is Russia’s
Hacking Success Shows How Vulnera...
SHARE:
ARGUMENT
An expert's point of view on a current event.
RUSSIA’S HACKING SUCCESS SHOWS HOW VULNERABLE THE CLOUD IS
THE CLOUD IS EVERYWHERE. IT’S CRITICAL TO COMPUTING. AND IT’S UNDER ATTACK.
By Bruce Schneier, a fellow and lecturer at the Harvard Kennedy School, and Trey
Herr, the director of the Cyber Statecraft Initiative at the Atlantic Council’s
Scowcroft Center for Strategy and Security.
U.S. Deputy Attorney General Jeffrey A. Rosen at a press conference concerning a
hacking campaign tied to the Chinese government at the U.S. Department of
Justice in Washington on Sept. 16, 2020.
U.S. Deputy Attorney General Jeffrey A. Rosen at a press conference concerning a
hacking campaign tied to the Chinese government at the U.S. Department of
Justice in Washington on Sept. 16, 2020. TASOS KATOPODIS/POOL/AFP via Getty
Images
May 24, 2021, 10:00 AM
Russia’s Sunburst cyberespionage campaign, discovered late last year, impacted
more than 100 large companies and U.S. federal agencies, including the Treasury,
Energy, Justice, and Homeland Security departments. A crucial part of the
Russians’ success was their ability to move through these organizations by
compromising cloud and local network identity systems to then access cloud
accounts and pilfer emails and files.
Hackers said by the U.S. government to have been working for the Kremlin
targeted a widely used Microsoft cloud service that synchronizes user
identities. The hackers stole security certificates to create their own
identities, which allowed them to bypass safeguards such as multifactor
authentication and gain access to Office 365 accounts, impacting thousands of
users at the affected companies and government agencies.
It wasn’t the first time cloud services were the focus of a cyberattack, and it
certainly won’t be the last. Cloud weaknesses were also critical in a 2019
breach at Capital One. There, an Amazon Web Services cloud vulnerability,
compounded by Capital One’s own struggle to properly configure a complex cloud
service, led to the disclosure of tens of millions of customer records,
including credit card applications, Social Security numbers, and bank account
information.
Russia’s Sunburst cyberespionage campaign, discovered late last year, impacted
more than 100 large companies and U.S. federal agencies, including the Treasury,
Energy, Justice, and Homeland Security departments. A crucial part of the
Russians’ success was their ability to move through these organizations by
compromising cloud and local network identity systems to then access cloud
accounts and pilfer emails and files.
Hackers said by the U.S. government to have been working for the Kremlin
targeted a widely used Microsoft cloud service that synchronizes user
identities. The hackers stole security certificates to create their own
identities, which allowed them to bypass safeguards such as multifactor
authentication and gain access to Office 365 accounts, impacting thousands of
users at the affected companies and government agencies.
It wasn’t the first time cloud services were the focus of a cyberattack, and it
certainly won’t be the last. Cloud weaknesses were also critical in a 2019
breach at Capital One. There, an Amazon Web Services cloud vulnerability,
compounded by Capital One’s own struggle to properly configure a complex cloud
service, led to the disclosure of tens of millions of customer records,
including credit card applications, Social Security numbers, and bank account
information.
This trend of attacks on cloud services by criminals, hackers, and nation states
is growing as cloud computing takes over worldwide as the default model for
information technologies. Leaked data is bad enough, but disruption to the
cloud, even an outage at a single provider, could quickly cost the global
economy billions of dollars a day.
Get the full experience.
CHOOSE YOUR PLAN
Cloud computing is an important source of risk both because it has quickly
supplanted traditional IT and because it concentrates ownership of design
choices at a very small number of companies. First, cloud is increasingly the
default mode of computing for organizations, meaning ever more users and
critical data from national intelligence and defense agencies ride on these
technologies. Second, cloud computing services, especially those supplied by the
world’s four largest providers—Amazon, Microsoft, Alibaba, and
Google—concentrate key security and technology design choices inside a small
number of organizations. The consequences of bad decisions or poorly made
trade-offs can quickly scale to hundreds of millions of users.
As long as a cloud provider isn’t losing customers by the droves, it is
incentivized to underinvest in security.
The cloud is everywhere. Some cloud companies provide software as a service,
support your Netflix habit, or carry your Slack chats. Others provide computing
infrastructure like business databases and storage space. The largest cloud
companies provide both.
The cloud can be deployed in several different ways, each of which shift the
balance of responsibility for the security of this technology. But the cloud
provider plays an important role in every case. Choices the provider makes in
how these technologies are designed, built, and deployed influence the user’s
security—yet the user has very little influence over them. Then, if Google or
Amazon has a vulnerability in their servers—which you are unlikely to know about
and have no control over—you suffer the consequences.
The problem is one of economics. On the surface, it might seem that competition
between cloud companies gives them an incentive to invest in their users’
security. But several market failures get in the way of that ideal. First,
security is largely an externality for these cloud companies, because the losses
due to data breaches are largely borne by their users. As long as a cloud
provider isn’t losing customers by the droves—which generally doesn’t happen
after a security incident—it is incentivized to underinvest in security.
Additionally, data shows that investors don’t punish the cloud service companies
either: Stock price dips after a public security breach are both small and
temporary.
Second, public information about cloud security generally doesn’t share the
design trade-offs involved in building these cloud services or provide much
transparency about the resulting risks. While cloud companies have to publicly
disclose copious amounts of security design and operational information, it can
be impossible for consumers to understand which threats the cloud services are
taking into account, and how. This lack of understanding makes it hard to assess
a cloud service’s overall security. As a result, customers and users aren’t able
to differentiate between secure and insecure services, so they don’t base their
buying and use decisions on it.
Read More
Microsoft signage is seen in New York on March 13, 2020.
A ‘CRAZY HUGE’ HACK
Who was behind the largest-ever cyberattack on the United States—and how can the
next one be prevented?
Q&A | Jonathan Tepperman
This photograph taken on Sept. 18, 2019, shows the entrance and logo of the
French national cybersecurity agency, ANSSI, at ANSSI headquarters in Paris.
THE WORLD NEEDS A CYBER-WHO TO COUNTER VIRUSES IN CYBERSPACE
A global body has helped poorer nations counter COVID-19, but less
technologically advanced countries need a similar institution to protect against
the coming plague of cyberattacks.
Argument | Yaron Rosen
A poster showing six wanted Russian military intelligence officers is displayed
at the U.S. Department of Justice in Washington on Oct. 19, 2020.
WHY THE LATEST CYBERATTACK WAS DIFFERENT
The epic SolarWinds hack affecting thousands of government agencies and
companies could mark the beginning of the end of the open internet.
Report | Robert Muggah
Third, cybersecurity is complex—and even more complex when the cloud is
involved. For a customer like a company or government agency, the security
dependencies of various cloud and on-premises network systems and services can
be subtle and hard to map out. This means that users can’t adequately assess the
security of cloud services or how they will interact with their own networks.
This is a classic “lemons market” in economics, and the result is that cloud
providers provide variable levels of security, as documented by Dan Geer, the
chief information security officer for In-Q-Tel, and Wade Baker, a professor at
Virginia Tech’s College of Business, when they looked at the prevalence of
severe security findings at the top 10 largest cloud providers. Yet most
consumers are none the wiser.
The result is a market failure where cloud service providers don’t compete to
provide the best security for their customers and users at the lowest cost.
Instead, cloud companies take the chance that they won’t get hacked, and past
experience tells them they can weather the storm if they do. This kind of
decision-making and priority-setting takes place at the executive level, of
course, and doesn’t reflect the dedication and technical skill of product
engineers and security specialists. The effect of this underinvestment is
pernicious, however, by piling on risk that’s largely hidden from users.
Widespread adoption of cloud computing carries that risk to an organization’s
network, to its customers and users, and, in turn, to the wider internet.
Not since the heights of the mainframe era has the world witnessed computing
systems of such complexity used by so many but designed and created by so few.
This aggregation of cybersecurity risk creates a national security challenge.
Policymakers can help address the challenge by setting clear expectations for
the security of cloud services—and for making decisions and design trade-offs
about that security transparent. The Biden administration, including newly
nominated National Cyber Director Chris Inglis, should lead an interagency
effort to work with cloud providers to review their threat models and evaluate
the security architecture of their various offerings. This effort to require
greater transparency from cloud providers and exert more scrutiny of their
security engineering efforts should be accompanied by a push to modernize
cybersecurity regulations for the cloud era.
The Federal Risk and Authorization Management Program (FedRAMP), which is the
principal U.S. government program for assessing the risk of cloud services and
authorizing them for use by government agencies, would be a prime vehicle for
these efforts. A recent executive order outlines several steps to make FedRAMP
faster and more responsive. But the program is still focused largely on the
security of individual services rather than the cloud vendors’ deeper
architectural choices and threat models. Congressional action should reinforce
and extend the executive order by adding new obligations for vendors to provide
transparency about design trade-offs, threat models, and resulting risks. These
changes could help transform FedRAMP into a more effective tool of security
governance even as it becomes faster and more efficient.
Cloud providers have become important national infrastructure. Not since the
heights of the mainframe era between the 1960s and early 1980s has the world
witnessed computing systems of such complexity used by so many but designed and
created by so few. The security of this infrastructure demands greater
transparency and public accountability—if only to match the consequences of its
failure.
Bruce Schneier is a fellow and lecturer at the Harvard Kennedy School. His
latest book is Click Here to Kill Everybody: Security and Survival in a
Hyper-connected World.
Trey Herr is the director of the Cyber Statecraft Initiative at the Atlantic
Council’s Scowcroft Center for Strategy and Security.
Tags: Cyber Security & Hacking, Russia
NEW EMAIL ALERTS FP subscribers can now receive alerts when new stories on these
topics and regions are published. Subscribe now | Sign in
NEW FOR SUBSCRIBERS: Want to read more on this topic or region? Click + to
receive email alerts when new stories are published on Russia Russia
✕
Advertisement
THE OBVIOUS CLIMATE STRATEGY NOBODY WILL TALK ABOUT
Latest
HOW TO SLOW CLIMATE CHANGE WHILE FIGHTING POVERTY
November 7, 2022, 4:26 PM
THE UNITED STATES’ EASIEST CLIMATE WIN IS IN LATIN AMERICA
November 7, 2022, 3:23 PM
WHAT COULD A REPUBLICAN FOREIGN POLICY LOOK LIKE?
November 7, 2022, 2:56 PM
CHINA’S ZERO-COVID POLICIES ARE STIRRING XENOPHOBIA
November 7, 2022, 2:25 PM
HOW UKRAINE FIGURES IN LAST-MINUTE MIDTERM PITCHES
November 7, 2022, 1:20 PM
See All Stories
Trending
1. 1
The Obvious Climate Strategy Nobody Will Talk About
2. 2
The Cult of Modi
3. 3
It’s Woman vs. Woman in Iran’s Protests
4. 4
6 Wrong Lessons for Taiwan From the War in Ukraine
5. 5
China’s Zero-COVID Policies Are Stirring Xenophobia
MORE FROM FOREIGN POLICY
A person in Taipei, Taiwan, holds a sign protesting Russia's invasion of
Ukraine.
6 WRONG LESSONS FOR TAIWAN FROM THE WAR IN UKRAINE
A potential Asian war would look very different.
A large screen displays China's President Xi Jinping during a virtual summit
with United States President Joe Biden on November 16, 2021 in Beijing.
XI’S CHINA IS GOOD—AND BAD—FOR THE UNITED STATES
The strategic implications of the 20th Party Congress cut in two different
directions.
Olaf Scholz welcomes China's President Xi Jinping at the airport in Hamburg on
July 6, 2017.
OLAF SCHOLZ HAS A CHINA PROBLEM
Germany’s chancellor has insisted on an investment deal with China in
contradiction to his own government’s strategy.
modi-cult-of-personality-matthieu-bourel-illustration-Online_site_1500x1000px_bis
THE CULT OF MODI
How India’s prime minister dismantled the world’s largest democratic experiment.
TRENDING
1. THE OBVIOUS CLIMATE STRATEGY NOBODY WILL TALK ABOUT
Analysis | Ted Nordhaus, Vijaya Ramachandran, Patrick Brown
2. THE CULT OF MODI
Essay | Ramachandra Guha
3. IT’S WOMAN VS. WOMAN IN IRAN’S PROTESTS
Analysis | Anchal Vohra
4. 6 WRONG LESSONS FOR TAIWAN FROM THE WAR IN UKRAINE
Analysis | Franz-Stefan Gady
5. CHINA’S ZERO-COVID POLICIES ARE STIRRING XENOPHOBIA
Argument | Amanda Florian
Latest
HOW TO SLOW CLIMATE CHANGE WHILE FIGHTING POVERTY
November 7, 2022, 4:26 PM
THE UNITED STATES’ EASIEST CLIMATE WIN IS IN LATIN AMERICA
November 7, 2022, 3:23 PM
WHAT COULD A REPUBLICAN FOREIGN POLICY LOOK LIKE?
November 7, 2022, 2:56 PM
CHINA’S ZERO-COVID POLICIES ARE STIRRING XENOPHOBIA
November 7, 2022, 2:25 PM
HOW UKRAINE FIGURES IN LAST-MINUTE MIDTERM PITCHES
November 7, 2022, 1:20 PM
See All Stories
Sign up for Morning Brief
FOREIGN POLICY’S FLAGSHIP DAILY NEWSLETTER WITH WHAT’S COMING UP AROUND THE
WORLD TODAY FROM FOREIGN POLICY’S NEWSLETTER WRITER COLM QUINN.
Enter your email Sign Up
✓ Signed Up Unsubscribe
By signing up, I agree to the Privacy Policy and Terms of Use and to
occasionally receive special offers from Foreign Policy.
By signing up, I agree to the Privacy Policy and Terms of Use and to
occasionally receive special offers from Foreign Policy.
By using this website, you agree to our use of cookies. This use includes
personalization of content and ads, and traffic analytics. Review our Privacy
Policy for more information.
Loading graphics
Foreign Policy Magazine
Secondary Navigation
* FP Events
* FP Studios
* FP Analytics
* FP PeaceGames
* Subscription Services
* Group Subscriptions
* Reprint Permissions
* Writer’s Guidelines
* FP Guides – Graduate Education
* FP For Education
* FP Archive
* Buy Back Issues
* Work At FP
* Meet the Staff
* Advertising/Partnerships
* Country Reports
* Contact Us
* Privacy Policy
Powered by WordPress VIP
© 2022, The Slate Group
* Step 1 of 4: Email alerts
* Step 2 of 4: Newsletters
* Step 3 of 4: FP Live
* Step 4 of 4: Trending
Complete your profile collapse
WELCOME TO A WORLD OF INSIGHT.
EXPLORE THE BENEFITS OF YOUR FP SUBSCRIPTION.
STAY UPDATED ON THE TOPICS YOU CARE ABOUT WITH EMAIL ALERTS. SIGN UP BELOW.
* Security
* China
* U.S. Foreign Policy
* Geopolitics
* Foreign & Public Diplomacy
* Middle East and North Africa
* Europe
* Military
* Russia
* Politics
* U.S. State Department
* United States
* Africa
* Iran
* Southeast Asia
* Economics
* United Nations
* Climate Change
* Science and Technology
* Human Rights
* India
Show more
CHOOSE A FEW NEWSLETTERS THAT INTEREST YOU.
HERE ARE SOME WE THINK YOU MIGHT LIKE.
* Morning Brief
Your guide to the most important world stories of the day. Delivered
Monday-Friday.
* Africa Brief
Essential analysis of the stories shaping geopolitics on the continent.
Delivered Wednesday.
* Latin America Brief
One-stop digest of politics, economics, and culture. Delivered Friday.
* China Brief
The latest news, analysis, and data from the country each week. Delivered
Wednesday.
* South Asia Brief
Weekly update on developments in India and its neighbors. Delivered Thursday.
* Situation Report
Weekly update on what’s driving U.S. national security policy. Delivered
Thursday.
* Flash Points
A curated selection of our very best long reads. Delivered Wednesday &
Sunday.
* Editors’ Picks
Evening roundup with our editors’ favorite stories of the day. Delivered
Monday-Saturday.
* Subscribers’ Picks
A monthly digest of the top articles read by FP subscribers.
ANALYZE THE WORLD’S BIGGEST EVENTS.
JOIN IN-DEPTH CONVERSATIONS AND INTERACT WITH FOREIGN-POLICY EXPERTS WITH
Reporters-notebook-FPLive-site-3-2
REPORTERS’ NOTEBOOK: THE MIDTERMS AND U.S. FOREIGN POLICY
November 3, 2022 | View Now
Midterm elections in the United States are approaching, and the party that
controls Congress will determine the trajectory of the Biden administration’s
domestic and foreign policy. How wi...Show morell federal spending on Ukraine be
impacted by the results? What about relations with China, climate change, and
trade? Tune in as FP’s executive editor, Amelia Lester, and FP’s team of
reporters answer your questions about what’s at stake for U.S. foreign policy in
the midterms as well as analyze the possible outcomes.
BEIJING, CHINA - MAY 26: A researcher holds a wafer arrayed with carbon
nanotubes (CNT) at a laboratory on May 26, 2020 in Beijing, China. (Photo by
VCG/VCG via Getty Images)
THE IMPACTS OF U.S.-CHINA TECH DECOUPLING
November 1, 2022 | View Now
The Biden administration is increasingly making clear it is intent on slowing
down China’s technological rise. Washington has dramatically expanded controls
on technology flowing to and fr...Show moreom Beijing by imposing aggressive
sanctions targeting China’s chip and semiconductor industry. What impact will
these changes have on the broader U.S.-China relationship? Will other nations
support Washington’s new approach? How will this impact the global economy?
Watch FP editor in chief Ravi Agrawal’s conversation with Jon Bateman, a senior
fellow in the Technology and International Affairs Program at the Carnegie
Endowment for International Peace. Bateman previously served as the director for
cyber strategy implementation in the Office of the Secretary of Defense. Read
his essay on U.S.-China decoupling.
Rishi Sunak delivers a keynote speech to COP26 delegates in Glasgow, Scotland,
on Nov. 3, 2021. Christopher Furlong/Getty Images
WHAT RISHI SUNAK MEANS FOR THE WORLD
October 28, 2022 | View Now
Rishi Sunak has come out on top as Britain’s next prime minister, following Liz
Truss’s failed six-week tenure leading the country. He assumes power as the
third British prime minister i...Show moren just two months amid a spiraling
economic crisis and unprecedented political turmoil. He faces numerous
challenges in office: a divided party, soaring inflation, calls for a general
election, and much more. What’s next for Britain under Sunak’s leadership? Will
he turn the country’s economic woes around, and what will he do about Russia’s
war in Ukraine and China? Join FP’s security and intelligence reporter, Amy
Mackinnon, for a wide-ranging interview with Robin Niblett, a distinguished
fellow at Chatham House, and Anand Menon, a professor of European politics at
King’s College London.
SEE WHAT’S TRENDING.
MOST POPULAR ARTICLES ON FP RIGHT NOW.
Living quarters are flooded in Bangui, Central Africa Republic
THE OBVIOUS CLIMATE STRATEGY NOBODY WILL TALK ABOUT
Economic development is the only proven path to climate resilience.
Members of Iran's Basij Islamist militia wave Iranian flags during a ceremony
marking the 30th anniversary of its establishment at the Imam Khomeini Grand
Mosque in Tehran on Nov. 26, 2009.
IT’S WOMAN VS. WOMAN IN IRAN’S PROTESTS
The Islamic Republic has always cultivated a reservoir of devoted female
support.
A cow grazes in front of the Mooifontein Colliery coal supplier in South Africa.
HOW TO SLOW CLIMATE CHANGE WHILE FIGHTING POVERTY
Falling aid budgets and ballooning debt in the developing world are impediments
to climate action. Green aid projects can bring poorer countries on board.
A disinfectant worker waits outside of a high-speed train.
CHINA’S ZERO-COVID POLICIES ARE STIRRING XENOPHOBIA
Anti-foreign language has become part of disease control.
Next: Newsletters Remind me later My Account