Slashdot Mirror

← Back to Stories (view on slashdot.org)

Department of Defense May Give Private Cloud Vendors Access To Top Secret Data

Posted by Soulskill on from the what-could-possibly-go-wrong dept.

An anonymous reader sends news that the U.S. Department of Defense is pondering methods to store its most sensitive data in the cloud. The DoD issued an information request (PDF) to see whether the commercial marketplace can provide remote computing services for Level 5 and Level 6 workloads, which include restricted military data. "The DoD anticipates that the infrastructure will range from configurations featuring between 10,000 and 200,000 virtual machines. Any vendors selected to the scheme would be subject to an accreditation process and to security screening, and the DoD is employing the Federal Risk and Authorization Management Program to establish screening procedures for authorized cloud vendors, and to generate procedures for continuous monitoring and auditing."

11 of 60 comments (clear)

  1. Not "The Cloud" by Eevee · · Score: 5, Informative

    They're looking for cleared contractors to set up private clouds in their facilities.

  2. Outrage by hammeraxe · · Score: 2, Insightful

    I expect there to be outrage here on slashdot. But think about it. How is this really different from, lets say, Lockheed Martin designing the F-35 and storing all the design data associated with it. Sure, they're not a "private cloud vendor", but they're probably running a bunch of servers for this purpose. So "top secret cloud" is already happening.

    1. Re:Outrage by _Shad0w_ · · Score: 2

      It has been for years. Pretty much every business in the world that deals with defence contracts will store restricted material on their own site and computer systems at some point. In the UK there's even a designation for it List-X Site. Other countries have their own designation.

      --

      Yeah, I had a sig once; I got bored of it.

    2. Re:Outrage by BitZtream · · Score: 5, Insightful

      Except that 'cloud' at Lockheed is entirely 'in house' and not accessible from the outside world at all. Its certainly not available on the Internet. Us old folks call it 'a file server on the internal network'. Of course, us old folks don't call things 'the cloud' either unless talking to people who don't understand networks, so for your case I'll use 'cloud'. Lets not forget that Lockheed is also the one who actually designed and built the thing, so they already have the data by definition.

      Lockheed also doesn't want the data getting stolen, they are VERY motivated to protect it. They can't sell F-35s for a ridiculous price if anyone can make them for a lot less. The government doesn't want China getting F-35s, so they are both motivated to work together to make sure that doesn't happen.

      Someone else, like Box, Dropbox, Google or Sharefile only have the interest of not getting some bad publicity. If the designs for the F-35 are stolen from one of those systems, at most they are out a single customer, Lockheed, but not enough of the rest of the world is going to give a shit and move as well ... ASSUMING Lockheed would. The sharing services don't care if China gets the plans to the F-35. Worst case, some rogue nation gets the plans, makes a bunch of military assets and then invades the US (I did say WORST case), the execs at the sharing service will have already sold some assets well in advance and moved somewhere they can watch the thing play out from relative safety.

      There is practically no real motivation for file sharing services to put more than a basic effort into security other than small amounts of pride. Greed trumps pride.

      You don't understand the outrage because you don't understand the pattern and you're simplifying it into something its not.

      Of course, you're also just reading the slashdot headline and summary and not the actual article, which states that they are looking for ways to certify contractors to create and work on a DoD private cloud ... NOT outsourcing their data storage to someone else like Box or Sharefile. It'll be in a DoD owned and managed data center at some military installation.

      So basically, not only do you not understand why slashdotters with a clue would be outraged, you don't understand what is actually being discussed, partially due to the ignorance of slashdot editors but mostly because you couldn't be bothered to read the story you're commenting on.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    3. Re:Outrage by AmiMoJo · · Score: 3, Insightful

      Except that 'cloud' at Lockheed is entirely 'in house' and not accessible from the outside world at all. Its certainly not available on the Internet.

      I seriously doubt that, as do many Chinese/Russian hackers. Even if the fileserver itself isn't on the internet, you can bet that client machines which connect to it are. I bet they allow VPN access to their internal network too, since they have more than one location.

      China and Russia already have the F-35 plans.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Outrage by Mr+44 · · Score: 2

      You have no idea how this stuff works. There's not a grey area - classified material is stored on air-gapped networks, and no, any machine which has ever been on the internet is not connecting to that network.

    5. Re:Outrage by luis_a_espinal · · Score: 2

      You have no idea how this stuff works. There's not a grey area - classified material is stored on air-gapped networks, and no, any machine which has ever been on the internet is not connecting to that network.

      It is slashdot. Everyone here is an expert at bashing crap they don't know :/

  3. Oh. Sure! by Greyfox · · Score: 2

    Yeah I could see that working. You'd just want your cloud air-gapped from any public network, and to not provide any remote access. If you did that, I think it'd work great!

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  4. Use iCloud by Anonymous Coward · · Score: 2, Funny

    Apple has proven itself over and over being both trustworthy and highly skilled at security.

  5. Re:Failure by luis_a_espinal · · Score: 2

    Nothing like setting oneself up for failure.

    Exactly. Secrets need to be kept in house, and even then they're not totally secure. Give it to a contractor and even the most idiot person in the world will understand that there is a 99% chance you'll find that info spilled on the internet. I guess nothing stands in the way of cost reductions to zero eh ? Stupidity all around.

    That is stupid. The same can be said for disgruntled employees. When we are talking contractors in a DoD setting, we are not talking about Infosys handing over work to someone overseas, but:

    1. a bunch of US Citizens of different technical backgrounds already with sufficient clearance,
    2. that works for a defense contractor,
    3. for a very specific project
    4. under non-negotiable guidelines of security
    5. AT facilities physically vetted for the necessary clearance

    Nothing on that list will prevent someone from leaking stuff out to the interweeds, but to presume that under those conditions there is a 99% change of that (as you said), that is just nonsense.

  6. Nonsense by luis_a_espinal · · Score: 3, Informative

    Except that 'cloud' at Lockheed is entirely 'in house' and not accessible from the outside world at all. Its certainly not available on the Internet.

    I seriously doubt that, as do many Chinese/Russian hackers. Even if the fileserver itself isn't on the internet, you can bet that client machines which connect to it are. I bet they allow VPN access to their internal network too, since they have more than one location.

    China and Russia already have the F-35 plans.

    As a former engineer at a defense contractor, I can say this: you cannot VPN to internal networks vetted for cleared work (aka "secured labs". In fact, you cannot even connected to secured labs from within an internal network. You have to physically walk in into a secured lab from where to connect to a secured network (where you have to sign in, sign out, and leave all electronic gadgets behind.) You cannot VPN nor work from home when you work on classified stuff. You need to be on-site on a partitioned network infrastructure.

    And once there, that secured network has only access to resources specific to designated projects on a 'need-to-know' basis, and only for work at or below a given security level.

    Meaning, a secret-level lab cannot access resources from a top-secret project, and/or top-secret lab A designated to work on project X cannot access resources allocated on secret lab B designated for project Y if projects A and Y are unrelated or firewalled even though lab A has greater clearance than lab B.

    You cannot even print in many of these labs. Any information that must be transmitted from one lab to another is permitted only by a IA officer that is not assigned to any project and whose only work is to enforce the firewalls. And when that information is permitted is via encrypted devices carried by hand (sometimes we refer to those as sneaker nets.) These labs are physically separated down to the wire (and sometimes backup power generators.)

    Nothing of the above can 100% prevent leakage due to stupidity or ulterior motives. But to assume that clients machine simply connect to a fileserver on a sec lab, that is just nonsense. It can happen due to malice or stupidity (I mean, anything not forbidden by physics or mathematics is possible). But that is not the general case, and as a result, you cannot simply presume it as a matter of fact.