The Government Accountability Office (GAO) is pushing agencies to implement security measures to protect their cloud computing services against cyberattacks, following the July hack of Federal agency cloud-based email accounts by China-based threat actors.
The watchdog agency emphasized in an August 10 blog post that because the “Federal government has recognized [the] benefits and is increasingly using cloud computing services,” any failure to implement “cloud security measures makes Federal agencies and their computer systems vulnerable to cyberattack.”
This vulnerability was evident in the July hacking of several Federal agencies’ cloud-based emails by China-based threat actors. The hackers leveraged a flaw in a Microsoft cloud-computing environment to obtain access to email accounts.
The breaches reportedly occurred at over two dozen organizations; among the Federal officials compromised during the cyber-espionage campaign were several State Department officials.
Recently GAO looked at how four Federal agencies – the departments of Homeland Security, Treasury, Labor, and Agriculture – use and protect cloud computing services. However, when analyzing how these agencies protected their systems, GAO found that they did not always follow key practices.
For example, GAO found that the departments “performed continuous monitoring for [three] of the 15 systems” it reviewed. “For the remaining 12 systems, the departments had only partially implemented continuous monitoring processes,” leaving them with less awareness of security risks changes in the system.
GAO also noted its previously reported concern about agencies not using a Federal program for protecting cloud services.
“We surveyed 24 Federal agencies about their use of a Federal program for protecting cloud services. At the time, 15 of 24 agencies told us they didn’t always use this program. Departments also reported limitations in their ability or methods of overseeing these services. Specifically, continuous monitoring against attacks had to be done manually and was not automated,” GAO stated.
In May of this year, GAO made 35 recommendations to the departments of Homeland Security, Treasury, Labor, and Agriculture to improve cloud security practices. Those recommendations included ensuring that they fully document who has access to systems, continuously monitoring against attacks, and adhering to guidance on protecting cloud systems.
“We are also waiting for other Federal agencies to take action on 12 of our 25 recommendations from 2019. These actions would also improve the security of these critical cloud systems and help prevent disruptions that could impact the public,” GAO stated.
For example, the Federal watchdog recommended that the Office of Management and Budget establish a process for monitoring and holding agencies accountable for their use and protection of cloud services.
In addition, GAO acknowledged that implementing cloud services offers Federal agencies a means to buy services more quickly and possibly at a lower cost than building, operating, and maintaining these computing resources themselves.
“So, it can save taxpayers money. But the vulnerabilities also have significant costs,” GAO stated.