Department of Defense May Give Private Cloud Vendors Access To Top Secret Data

An anonymous reader sends news that the U.S. Department of Defense is pondering methods to store its most sensitive data in the cloud. The DoD issued an information request (PDF) to see whether the commercial marketplace can provide remote computing services for Level 5 and Level 6 workloads, which include restricted military data. "The DoD anticipates that the infrastructure will range from configurations featuring between 10,000 and 200,000 virtual machines. Any vendors selected to the scheme would be subject to an accreditation process and to security screening, and the DoD is employing the Federal Risk and Authorization Management Program to establish screening procedures for authorized cloud vendors, and to generate procedures for continuous monitoring and auditing."

Not "The Cloud"

[Eevee]

They're looking for cleared contractors to set up private clouds in their facilities.

Like nothing could go wrong

[tshawkins]

Plan for invading world.... 1. Hack amazon, download DoD documents detailing access codes for all US drone Weapons". 2. Upload new crapola ones 3. Instant army of killer machines. Profit....

Re:Like nothing could go wrong

[gl4ss]

it's a ploy.

store the massive surveillance of cloud systems on cloud systems so you need to buy more cloud systems to keep the surveillance data of the cloud systems that you stored the surveillance data of the cloud systems on..

That should work out well...NOT!

[ebusinessmedia1]

Nothing like setting oneself up for failure.

Failure

Nothing like setting oneself up for failure.

Re:Failure

Nothing like setting oneself up for failure.

Exactly. Secrets need to be kept in house, and even then they're not totally secure.
Give it to a contractor and even the most idiot person in the world will understand that there is a 99% chance you'll find that info spilled on the internet. I guess nothing stands in the way of cost reductions to zero eh ? Stupidity all around.

Re:Failure

1. Contractors bid for this
2. The lowest bidder who pass all the security tests win. Passing such tests is trivial - make an effort to comply with the demands. Anyone can do that.
3. The lowest bidder needs more money, and starts to cut corners. Hiring cheap workers and skimping on security. Anything that is not regularly tested...
4. With time,we get lots of new Snowdens. Which is probably good for us.

Re:Failure

[luis_a_espinal]

Nothing like setting oneself up for failure.

Exactly. Secrets need to be kept in house, and even then they're not totally secure. Give it to a contractor and even the most idiot person in the world will understand that there is a 99% chance you'll find that info spilled on the internet. I guess nothing stands in the way of cost reductions to zero eh ? Stupidity all around.

That is stupid. The same can be said for disgruntled employees. When we are talking contractors in a DoD setting, we are not talking about Infosys handing over work to someone overseas, but:

1. a bunch of US Citizens of different technical backgrounds already with sufficient clearance,
2. that works for a defense contractor,
3. for a very specific project
4. under non-negotiable guidelines of security
5. AT facilities physically vetted for the necessary clearance

Nothing on that list will prevent someone from leaking stuff out to the interweeds, but to presume that under those conditions there is a 99% change of that (as you said), that is just nonsense.

Re:Failure

[TemporalBeing]

Nothing like setting oneself up for failure.

Exactly. Secrets need to be kept in house, and even then they're not totally secure. Give it to a contractor and even the most idiot person in the world will understand that there is a 99% chance you'll find that info spilled on the internet. I guess nothing stands in the way of cost reductions to zero eh ? Stupidity all around.

That is stupid. The same can be said for disgruntled employees. When we are talking contractors in a DoD setting, we are not talking about Infosys handing over work to someone overseas, but:

1. a bunch of US Citizens of different technical backgrounds already with sufficient clearance,
2. that works for a defense contractor,
3. for a very specific project
4. under non-negotiable guidelines of security
5. AT facilities physically vetted for the necessary clearance

Nothing on that list will prevent someone from leaking stuff out to the interweeds, but to presume that under those conditions there is a 99% change of that (as you said), that is just nonsense.

Not all cleared personnel are US citizens; but the higher the clearance the more likely that is the case.

Re:Failure

[krept]

Also a large portion of personnel working in that environment, even in the federal buildings are contractors. Only difference between that and this, is the location they're working. Which as you said, has to be vetted facility wise to meet the same standards as federal spaces.

Outrage

[hammeraxe]

I expect there to be outrage here on slashdot. But think about it. How is this really different from, lets say, Lockheed Martin designing the F-35 and storing all the design data associated with it. Sure, they're not a "private cloud vendor", but they're probably running a bunch of servers for this purpose. So "top secret cloud" is already happening.

Re:Outrage

[_Shad0w_]

It has been for years. Pretty much every business in the world that deals with defence contracts will store restricted material on their own site and computer systems at some point. In the UK there's even a designation for it List-X Site. Other countries have their own designation.

Re:Outrage

The important distinction is third party data really. Lockheed has the design data of F-35s because they built the damn thing. As opposed to putting other documents into private hands for abuse. Insider trading is just the start of potential abuses.

Re:Outrage

[TheP4st]

Lockheed Martin storing F-35 design data make sense. They build it which would be quite hard without access to the design data. Company XYZ storing DoD data that they have not created, do not contribute to or work with is poor security and will increase the possibiliy of another Snowden scenario happening which is plainly idiotic from a security perspective.

Re:Outrage

[BitZtream]

Except that 'cloud' at Lockheed is entirely 'in house' and not accessible from the outside world at all. Its certainly not available on the Internet. Us old folks call it 'a file server on the internal network'. Of course, us old folks don't call things 'the cloud' either unless talking to people who don't understand networks, so for your case I'll use 'cloud'. Lets not forget that Lockheed is also the one who actually designed and built the thing, so they already have the data by definition.

Lockheed also doesn't want the data getting stolen, they are VERY motivated to protect it. They can't sell F-35s for a ridiculous price if anyone can make them for a lot less. The government doesn't want China getting F-35s, so they are both motivated to work together to make sure that doesn't happen.

Someone else, like Box, Dropbox, Google or Sharefile only have the interest of not getting some bad publicity. If the designs for the F-35 are stolen from one of those systems, at most they are out a single customer, Lockheed, but not enough of the rest of the world is going to give a shit and move as well ... ASSUMING Lockheed would. The sharing services don't care if China gets the plans to the F-35. Worst case, some rogue nation gets the plans, makes a bunch of military assets and then invades the US (I did say WORST case), the execs at the sharing service will have already sold some assets well in advance and moved somewhere they can watch the thing play out from relative safety.

There is practically no real motivation for file sharing services to put more than a basic effort into security other than small amounts of pride. Greed trumps pride.

You don't understand the outrage because you don't understand the pattern and you're simplifying it into something its not.

Of course, you're also just reading the slashdot headline and summary and not the actual article, which states that they are looking for ways to certify contractors to create and work on a DoD private cloud ... NOT outsourcing their data storage to someone else like Box or Sharefile. It'll be in a DoD owned and managed data center at some military installation.

So basically, not only do you not understand why slashdotters with a clue would be outraged, you don't understand what is actually being discussed, partially due to the ignorance of slashdot editors but mostly because you couldn't be bothered to read the story you're commenting on.

Re:Outrage

[AmiMoJo]

Except that 'cloud' at Lockheed is entirely 'in house' and not accessible from the outside world at all. Its certainly not available on the Internet.

I seriously doubt that, as do many Chinese/Russian hackers. Even if the fileserver itself isn't on the internet, you can bet that client machines which connect to it are. I bet they allow VPN access to their internal network too, since they have more than one location.

China and Russia already have the F-35 plans.

Re:Outrage

[captbob2002]

... Us old folks call it 'a file server on the internal network'. Of course, us old folks don't call things 'the cloud' either unless talking to people who don't understand networks, so for your case I'll use 'cloud'...

I've lost count of the times I have told people the "The Cloud" is just using someone else's computer for storage. They are always shocked. I am not sure what that actually thought "the cloud" was.

Same folks that are shocked to learn that Google is reading their Gmail.

Re:Outrage

I've lost count of the times I have told people the "The Cloud" is just using someone else's computer for storage. They are always shocked. I am not sure what that actually thought "the cloud" was.

A cloud is a penetrable vaporous entity storing atoms of various other entities which themselves do not interfere with the penetrable characteristic of the cloud.

Re:Outrage

Boy, I learned this the hard way. I was researching starting a cloud provider that would be designed around handling government SBU stuff, where it had to be FISMA compliant with SCAP testing, random and scheduled audits, proper encryption [1] implemented everywhere so that a tape falling off the back of the Iron Maiden truck doesn't result in election year press scandals.

I went to a VC with this, and he looked at my proposal, gutted anything security related to token levels [2]. The staff which were to be seasoned vets (both IT veterans and military veterans) was changed to being remotely administrated from a foreign country (because it was dirt cheap to do so), and the local people at the facility would be essentially sub-contracted to the lowest bidder, and whose role is solely to get stuff physically wired in, and call a number if anything is untoward.

Of course, this breaks a ton of FISMA rules, but the VC didn't care, as once the contract was signed and he and his were paid, the business could go bankrupt, leaving everyone else who didn't get theirs off the top holding the bag. The VC demanded his exit strategy be in place before almost anything else.

If the market forces other cloud providers to just throw away everything, security-wise, just like the above mentioned VC wanted, I wouldn't want to store Linux ISOs... much less PII or more sensitive data.

This market segment is still here. Someone makes a FISMA-compliant provider [3] that doesn't take shortcuts on security... and is audited/inspected both on a periodic basic and randomly, and it will have customers beating a path to its door.

[1]: Encryption is worthless unless a proper key management system is in place. Take tapes, for example... on one end, you can set a password on the silo, and the job is done. Or, you can get a special appliance that generates a different key for every write to every tape. Of course, if that appliance fails, you are hosed (the way to back that appliance up? But another appliance and mirror.) Fail the other way, and the bad guys now just type in that password and have access to the data.

[2]: Internal firewalls are in place for a reason, and there is a reason why SAN fabric is redundant.

[3]: I wouldn't consider a provider with two data centers in geographically separate locations, both locations mirroring each other a true "cloud"... but it functions as well as a cloud provider.

Re:Outrage

[bleh-of-the-huns]

Yes, contractors do maintain sensitive data, but it is usually (I say usually because some people get lazy, and then dinged by audits, quite often) stored in a SCIF, or a secured section of the datacenter that is secured in the same way as a SCIF.

Re:Outrage

[Mr+44]

You have no idea how this stuff works. There's not a grey area - classified material is stored on air-gapped networks, and no, any machine which has ever been on the internet is not connecting to that network.

Re:Outrage

[luis_a_espinal]

I expect there to be outrage here on slashdot. But think about it. How is this really different from, lets say, Lockheed Martin designing the F-35 and storing all the design data associated with it. Sure, they're not a "private cloud vendor", but they're probably running a bunch of servers for this purpose. So "top secret cloud" is already happening.

Bingo. Amazon has been hiring people with sec. clearance for quite some time. These DoD clouds are not stuff deployed on typical heroku or AWS, but cloud infrastructure deployed on secured facilities.

I blame the term "the cloud", too amorphous of a term to mean just about anything.

Re:Outrage

[cellocgw]

China and Russia already have the F-35 plans.

I certainly hope so! Just wait for them to try to *build* the F-35 and watch their budgets explode just as wildly as the intra-USA budget has.

Re:Outrage

[luis_a_espinal]

You have no idea how this stuff works. There's not a grey area - classified material is stored on air-gapped networks, and no, any machine which has ever been on the internet is not connecting to that network.

It is slashdot. Everyone here is an expert at bashing crap they don't know :/

Re:Outrage

[TemporalBeing]

I expect there to be outrage here on slashdot. But think about it. How is this really different from, lets say, Lockheed Martin designing the F-35 and storing all the design data associated with it. Sure, they're not a "private cloud vendor", but they're probably running a bunch of servers for this purpose. So "top secret cloud" is already happening.

Bingo. Amazon has been hiring people with sec. clearance for quite some time. These DoD clouds are not stuff deployed on typical heroku or AWS, but cloud infrastructure deployed on secured facilities.

I blame the term "the cloud", too amorphous of a term to mean just about anything.

Reality is that they're only replacing existing DoD contractors that are already providing theses services but at a much higher cost. This just opens the playing field up a bit more. That's all this is about - helping reduce costs on existing services.

Re:Outrage

[The+MAZZTer]

AFAIK DoD contractors are required to keep classified data on a separate network from unclassified data. Classified network should have no internet access. "Closed areas" are used to keep the networked machines physically separate. Set procedures are in place for moving data between the two networks. This sounds like Top Secret data would be travelling across the internet (likely there will be strict standards on VPNs to use and encryption and whatever).

Ex

Cellent.

Natch is be bullshit.

What happens...

when the cloud has rain?

Did you think about that?

HAHAHAHA!! ROFLMAO! LOLS! LOLS! LOLS!

Eh...my contribution was about as intellectual as 99% of what shows up on slashdot these days.

Good idea!

[niff]

What could possibly go wrong?

Ob

[Hognoxious]

How about a nice game of chess?

Welcome to Itchy & Scratchyland..

..Where nothing could possibli go wrong.

Oh. Sure!

[Greyfox]

Yeah I could see that working. You'd just want your cloud air-gapped from any public network, and to not provide any remote access. If you did that, I think it'd work great!

Re:Oh. Sure!

They plan on using belkin routers. I believe testing for restricting access at the push of a button is already underway.

Use iCloud

Apple has proven itself over and over being both trustworthy and highly skilled at security.

Got new for you:

Private vendors already build military systems.
Do you think the F-22 or F-35 are built by federal employees?
Nope. Everything from design to construction is outsourced to private industry.
Why should a 200,000 VM cloud system be any different?
This is a non-story.

Re: Got new for you:

When is everybody going to figure out that this wholen"cloud computing" thing being actively pushed by government and media is all about:

- Creating steady revenue streams where there weren't any before.

- Reducing control of your own data, as a bunch of celebs found out about. It also makes it possible (and this is important) for third parties to respond to subpoenas and warrants without your knowledge.

- Reduce employment among IT professionals. Always a laudable end for business executives.

So the whole point of this is so that salespeople can say 'look, even the DOD does it' in response to anybody pointing out how dumb this is for so many use cases.

Can't Wait for the Political Porn Leaks

[chaosdivine69]

Can you imagine the selfie porn leaks then? Ewwwww, I just threw up in my mouth a 'lil.

The reaction to Snowden

[geekmux]

Government got pissed with the Snowden leaks, and this is their reaction?

Let's put it in a "secure" cloud?

Wow. So it wasn't just a rumor. They actually have a medal awarded for Ignorance.

So what? The CIA already does this...

http://www.theatlantic.com/technology/archive/2014/07/the-details-about-the-cias-deal-with-amazon/374632/

"cloud" vs "remote server"

[BringsApples]

We keep this stupid term "cloud" as if we're all idiots. "The Cloud" is a term made up for simple people that are using it as a place to store their pics and stuff. It's a marketing term.

Re-read this article and replace "cloud" with "isolated remote server" and all of the worries just slip away.

Re:"cloud" vs "remote server"

[Virtucon]

Actually no. It involves a whole stack of services including self provisioning, scaling and resource allocation that can include long or short term utilization. It can also include software licensing as part of the deal. The remote server is one piece of the puzzle. It's commoditization of compute resources which can help to drive down costs and you can keep it long term or dispose of it as soon as you use it. It appears that the DoD is looking to reduce costs in one particular area, storage. Anybody who's priced a SAN infrastructure in the PetaByte range will tell you it's not cheap.

Re:"cloud" vs "remote server"

[BringsApples]

Of course. But it's simply a remote place or places that data sits, and is "served" accordingly. The rest is just bells and whistles. In a scenario where we call rent-a-car, "cars in the cloud", we would be just as silly.

Re:"cloud" vs "remote server"

[Virtucon]

rent-a-car or zipcar or lyft or uber are similar paradigms. Cloud is just a term but the concepts go beyond a remove server. What IT doesn't like is the fact that now the business side of the house can go get this themselves, when they want and how they want it. Oh and your data doesn't have to "sit there" unless you want it to. From a pure data service perspective yes you can let it sit there but I wouldn't unless it's encrypted.

Re:"cloud" vs "remote server"

[BringsApples]

zipcar or lyft or uber are similar paradigms

Ok, I didn't think of it in that way. I was thinking in terms of:
user-device-->interface-->computers-owned-by-service-->calculations(maybe)-->interface-->user-device etc...

If what you're saying relates, then the data is not owned by "service", but by the "user", and the "user" can freely move that data to whatever "service" they wish. Is that correct? Because honestly, every time I hear "the cloud", I only think "Utah Data Center".

Re:"cloud" vs "remote server"

[Virtucon]

Oh yeah you own the data. Any public cloud service provider will tell you that. You're also responsible for backup/duplication unless then bundle that in as part of the offering. You still have the same data management requirements you'd have in your own data center. The difference being now you can spread that information across multiple AZs cheaply to provide data resiliency in case of outage or disaster.

Re:"cloud" vs "remote server"

[BringsApples]

Very interesting, thanks. It's very cool when people, as you just did, respond with knowledge in a way that isn't offensively propping themselves up on a pedestal. Makes me glad to still visit slashdot.

iCloud

Maybe Apple should bid the contract. They seem to have a good record for security lately.

Can't wait for the...

"Department of Defense Cloud Hacked" headline.

How stupid can you get?

[whizbang77045]

How stupid can you get? Oh, it's the Department of Defense, Never mind...

What could possibly go wrong?

[mikein08]

Surely no one would try to hack, much less succeed at hacking, this data. Would they?

"In the cloud" and "Top Secret" oxymorons

[gestalt_n_pepper]

Which won't stop actual morons from trying it. These are the guys who are buying server hardware with components made in China. How could anything go wrong?

Monitoring and Auditing

[PPH]

Yeah, right.

They can't keep foreign nationals from working inside the same contractors' facilities as their DoD projects are being worked. Sure, its in the next cubicle over.

Nonsense

[luis_a_espinal]

Except that 'cloud' at Lockheed is entirely 'in house' and not accessible from the outside world at all. Its certainly not available on the Internet.

I seriously doubt that, as do many Chinese/Russian hackers. Even if the fileserver itself isn't on the internet, you can bet that client machines which connect to it are. I bet they allow VPN access to their internal network too, since they have more than one location.

China and Russia already have the F-35 plans.

As a former engineer at a defense contractor, I can say this: you cannot VPN to internal networks vetted for cleared work (aka "secured labs". In fact, you cannot even connected to secured labs from within an internal network. You have to physically walk in into a secured lab from where to connect to a secured network (where you have to sign in, sign out, and leave all electronic gadgets behind.) You cannot VPN nor work from home when you work on classified stuff. You need to be on-site on a partitioned network infrastructure.

And once there, that secured network has only access to resources specific to designated projects on a 'need-to-know' basis, and only for work at or below a given security level.

Meaning, a secret-level lab cannot access resources from a top-secret project, and/or top-secret lab A designated to work on project X cannot access resources allocated on secret lab B designated for project Y if projects A and Y are unrelated or firewalled even though lab A has greater clearance than lab B.

You cannot even print in many of these labs. Any information that must be transmitted from one lab to another is permitted only by a IA officer that is not assigned to any project and whose only work is to enforce the firewalls. And when that information is permitted is via encrypted devices carried by hand (sometimes we refer to those as sneaker nets.) These labs are physically separated down to the wire (and sometimes backup power generators.)

Nothing of the above can 100% prevent leakage due to stupidity or ulterior motives. But to assume that clients machine simply connect to a fileserver on a sec lab, that is just nonsense. It can happen due to malice or stupidity (I mean, anything not forbidden by physics or mathematics is possible). But that is not the general case, and as a result, you cannot simply presume it as a matter of fact.

Obligatory

[penguinoid]

Department of Defense May Give Private Cloud Vendors Access To Top Secret Data

In Soviet Russia, private cloud vendors give government access to top secret data. Wait...

Not just the DoD

[dave562]

The DoD has put the most thought into the subject of co-locating equipment, but the entire Federal government is embracing this model as well. The company I work for provides legal technology solutions to the DoJ and the SEC. Over the last year, every single RFP has had at least some question about our willingness to co-locate hardware in their facilities.

The same thing is happening in the private sector, especially the financial industry. People are so paranoid about data breaches that they are unwilling to trust server providers, no matter how secure the application stack might be.

Again.

State governments are already doing it.

Look, the cloud is just a new buzz word for an old idea. Storing your data on other people's servers all under their control.

If you work for a company or a government agency that has servers and an internet connection, then you already have a "cloud". Why are you paying more money for a service you paid for yourself. It's stupid.

DOD joke: "authority to classify a ham sandwich"

[IndieRafael]

DOD should move some data to the cloud if it makes sense. However, DOD's top priority should be to stop the rampant overclassification of data. This problem costs taxpayers enormous sums. It costs money to classify data and then store it as classified data. Later, if ever, it costs money to decide to declassify the data and do so. Meanwhile, too many people have access. Too often, information is classified to prevent political embarrassment of powerful players, prevent public debate on important questions, or just out of thoughtless habit.

Here's a great excerpt from a March 2014 piece by the coordinator at the non-government National Security Archive. The Archive collects declassified documents as a permanent archive. It is part of George Washington University. He writes:

In fact, it’s so easy to classify new secrets that government classifiers joke that they can find the authority to classify a ham sandwich. These secrets tend to be permanent. Just last month, the Department of Defense blacked out a fact students learn in US History 101 – that the Cuban Missile Crisis ended with a swap of Soviet nukes in Cuba for the US nukes in Turkey. There are so many new secrets created, and so few old secrets released, that the runaway US classification regime has become a menace to American democracy.

The most recent available data shows that in 2012 alone, there were more than 95 million decisions to classify US documents. The cost of storing these secrets for just one year well exceeds ten billion dollars. We can’t be certain of the exact figure, however, because the cost that intelligence agencies, including the CIA and NSA, pay to house their secrets is – surprise, surprise – classified.

The linked article has a great chart showing that the number of classification decisions quintipled starting around 2008, even though it was out of control years before that. DOD's classified data should be a small garden protected with a high wall.

All Snowden's fault

It's all Snowden's fault : The NSA has been laying off sysadmins, to prevent another Snowden. I bet this extends to the DoD generally. And now they're hiring contracting companies to replace them. All is well. :)

9-5ers

I love how everything in the DoD and a lot even in the army is done by 9-5ers now. If they ever had a real war again, they are going to be SOL. Plus long-game foreign government spys will find this easy to compromise.