Amazon Launches a Cloud Service For US Intelligence Agencies

Amazon Web Services on Monday introduced cloud service for the CIA and other members of the U.S. intelligence community. From a report: The launch of the so-called AWS Secret Region comes six years after AWS introduced GovCloud, its first data center region for public sector customers. AWS has since announced plans to expand GovCloud. The new Secret Region signals interest in using AWS from specific parts of the U.S. government. In 2013 news outlets reported on a $600 million contract between AWS and the CIA. That event singlehandledly helped Amazon in its effort to sign up large companies to use its cloud, whose core services have been available since 2006.

Worst idea EVER

[Rick+Schumann]

Why not just post all our Top Secret documents on Twitter where all enemies of the U.S. can find them easily? Would be cheaper and about as secure as any gods-be-damned 'cloud service'! Since when do U.S. Intelligence agencies, or ANY government agency for that matter, not hosting their own data!?

Re:Worst idea EVER

As long as Equifax doesn't have it...

Re:Worst idea EVER

[oh_my_080980980]

Technically it's on on-site hosting. The data is not stored in Amazon's cloud. The CIA is using Amazon's servers on-site.

Re:Worst idea EVER

[oh_my_080980980]

You mean Barack Obama, his administration approved the deal.

Re:Worst idea EVER

Technically it's on on-site hosting. The data is not stored in Amazon's cloud. The CIA is using Amazon's servers on-site.

Uh, technically it's not a fucking cloud then.

CIA: Cloud In Ass.

Re:Worst idea EVER

The first rule of technical espionage: If you present an adversary with a technical problem whose solution gives them everything, they *will* solve it.

Re:Worst idea EVER

[skirtsteak_asshat]

Back when bringing trophy hunt carcasses back to the US wasn't the pressing issue for the duly elected golf course manager under indictment for conspiracy to commit treason. Good point, how times have changed.

Re:Worst idea EVER

[omnichad]

"Cloud" is just the picture you use in network diagram to represent Internet/Server. It doesn't exactly have a formal definition that's set in stone.

Re:Worst idea EVER

[networkBoy]

how is it not a cloud?
If it follows the same architecture, layout, and usage model, then it's a cloud. A self hosted one, sure (and I would expect nothing less than self hosted from these agencies!)

Re:Worst idea EVER

I'd rather have the whole damn government in the private could where the fixers can't destroy hard drives, delete pst files and wipe servers with no trace as easily as they have. Whatever supposed risk to national security that you're so worried about is less damaging than the actual criminality we've seen.

Re:Worst idea EVER

[EndlessNameless]

People have started using terms like "own cloud" or "on-site cloud" to describe infrastructure services that are provisioned internally. Yes, this is stupid and pointless. Yet here we are.

Your typical internal cloud will have hardware, hypervisor, and management stack all provided and supported by a single vendor. Sometimes they will certify hardware and provide support for whatever you build.

They basically took the old mainframe business model, broke it out onto gobs of x86 servers, and repackaged it as something new. Now you run your applications on a VM or in a Docker container instead of an LPAR.

So, yes, local cloud is pure marketing bullshit. But it does refer to something different (and more secure) than regular cloud services.

Re:Worst idea EVER

... not hosting their own data!?

An exclamation and a question mark, really?

The US government has been outsourcing a long time, because disposable employees means flexibility and not being counted as government employees makes it 'small government' and because, privatization is better than keeping that knowledge in-house. Plus corporations begging for a turn at the government feed-trough makes politicians very important.

Such an arrangement would include layers of isolation, so it's not an off-the-shelf service, which allows corporations to demand more money for correctly protecting their customer's data. With all that cash around, of course everyone likes the idea.

Re:Worst idea EVER

Internal Cloud was also coined up by people that work at companies where CIO/CEO/CFO people want to know why we aren't in the cloud yet, since their golfing buddies are, and wtf aren't we yet.

Not doing this invites the said C level people to hire "cloud experts" at high 6 figure salaries that say things like "disruptive" and "oh yes, its better AND cheaper" and also sort of other bullshit that they want to hear already.

You bet your ass we tell people our VMware environment is a fucking cloud.

Re:Worst idea EVER

You do recognize how easy it is to solve all the problems you just described without putting all the data in someone else's datacenter.

Re: Worst idea EVER

[dougdonovan]

so much for US intelligence having to rely on amazon.

Re:Worst idea EVER

[mikael]

A "Cloud" is when you don't know the routing paths, servers or interconnects used. ISDN was built on the X.25 packet switching system. As a customer all you had was that little socket in the wall, which plugged into your PC. There was no way of finding out the traffic route taken for data as every packet could conceivably follow a different route based on congestion.

Modern day "cloud services" would just dynamically allocate you a virtual machine on a virtual server, suck up the data from your systems and return it back to you, then have the VM disappear.

Re:Worst idea EVER

[networkBoy]

So, it is a cloud then.
The system delegates the compute resources and harvests them when free. It's dynamic and elastic based on demand (and total install size).

Re:Worst idea EVER

[sysrammer]

Interestingly enough, back in the Cold War I remember reading that the Soviets did not really trust the information that they found in our public domain. They couldn't believe that we would purposely be so open.

So, this is really just the first step in the brillant plan to release *all* of our data, to foil our adversaries.

Re:Worst idea EVER

The government plays the General Contractor role. The only problem is the embedded corruption that has been built into the government procurement operations. Government pay scales are not good enough to attract the top talent in certain fields such as computer hardware and software. Even the military uses highly paid contractors stationed on their advanced Naval assets when deployed. The Aegis Combat System technology uses Navy personnel as operators but there are civilian contractors in the background who understand the technology being used. This isn't a slight against Navy personnel it is just one example where the government uses civilian contractors to enhance the system support operations when deployed.

People need to stop bitching about someone accessing their data or violating their privacy. The government has always had ways of collecting it's citizens data. Way before the Internet came about. The IRS makes the NSA and CIA look like a bunch of second rate noobs when it comes to collecting data on everybody. And the real kicker is that all the data the IRS compiles on you over the years it can be accessed by the government without a warrant. And nobody has created any technology that would protect a person's private data that cannot be defeated. If someone really wants your encrypted data all they need is the right amount of resources and any government, both foreign and domestic, have those resources. There are non-governmental criminals that also have the resources to access, steal, or destroy any electronic data. When it comes to violating your privacy Google comes in first place in capturing, storing, sorting, analyzing, and selling the personal data from anyone using their services and applications. Google actively drives around the country documenting in pictures and GPS coordinates where everyone works, lives, and plays. Google's Navigator application could serve as a pretty good military application. Search for a name or place, study the 3-d topography in case a ground assault is warranted, jot down the GPS coordinates of your targets, and plug those GPS coordinates into a low tech missile and push the button. It is even possible to piggy back on the satellite and cell tower signals that can track your phone and get real time estimates on the missile you just let fly.

The government is not a for profit enterprise. Sophisticated and state sponsored cyber criminals and for profit businesses are all about the profit. The government as a whole is basically a crowd of morons who really cannot do anything right. What was the last true success the government has earned? They cannot keep any secrets, they have some of the most advanced naval assets in the world that keep running into other gigantic ships? They cannot muster the courage to really win any war they get involved in.

Re:Worst idea EVER

[rtb61]

I thought it was like, Amazon has created Google, a cloud that rains your information on various three letter agencies, packaged and filtered for demand. It is pretty obvious that the cloud is just your information, with every corrupt arse hole squeezing that cloud for all they are worth. The delusion, they control your information, they control you, not if you treat your online information like a joke, then they have nothing on you but a clown car. The more seriously you take you online interactions, the far more dangerous, manipulatable and controllable they become. Push back against the online world and treat it with the mocking derision it most deserves (the crap out there on the internet, the censoring control freaks at Google, Facebook and Twitter, those delusion fuckwits carry on like they control the world, whilst they have managed to convince the US government it is true so they waste money with the fuckers, we should all know it is total and utter bullshit, it was always us and the scamming psychopaths at Google et at, especially the big shit at alphabet are lying for all they are worth, hint, hint because ???). Look they all lost the US election to a bunch of troll yobs and they wont admit it, they were all in the tank for the corporate whore fabricating and censoring their political fantasy out of reality and the lost big time even when the opposition was an orange orangutan with a bad hair piece because their campaign was trolled out of existence. So Amazon now selling it's version of Google's bullshit, you pay us enough and we can control the internet yobs https://en.wikipedia.org/wiki/... for you, make them obey (yeah fucking right but the anus brains will milk it for years and for billions only because the other brains is what comes out, rather than what's delivering it, paid for with campaign cash).

Re:Worst idea EVER

[kriston]

This is the correct response.

Government entities including CIA own and run the data center facilities. AWS runs the software and systems therein.

It's not really "cloud" but it looks and feels that way. It's better described as an "On-Premises AWS."

Re:Worst idea EVER

Since when do U.S. Intelligence agencies, or ANY government agency for that matter, not hosting their own data!?

When the fallout from the alleged FCC DDoS ended up with them claiming their solution going forward was "secret stuff our corporate cloud partners do for us", it was pretty clear where things were. I mean, if the Federal *Communications* Commission isn't willing (with the implicit aid of the fucking NSA and CIA) to claim the ability to operate their own public comments website without the help of secret sauce from private corporations. Yup, abandon all hope ye...

But seriously, your comment seems ignorant of the phrase "military industrial complex". The line between big corporations and government has been foggy as hell for many decades at least.

Re:Worst idea EVER

[...] Since when do U.S. Intelligence agencies, or ANY government agency for that matter, not hosting their own data!?

When it's a set-up (sting).

Re:Worst idea EVER

[luis_a_espinal]

Why not just post all our Top Secret documents on Twitter where all enemies of the U.S. can find them easily? Would be cheaper and about as secure as any gods-be-damned 'cloud service'! Since when do U.S. Intelligence agencies, or ANY government agency for that matter, not hosting their own data!?

For a while. How the hell do you thing DoD contractors do secret/top-secret work? They have their own SEC/TS rated facilities.

Very bad idea

[WillAffleckUW]

Look, we've been using your secure cloud services to get intel on US "secure" communications for years, now you want to encourage it even more?

Oh, and lock down those cloud backups, they let us triangulate your physical access points. It's like 360 degree 24/7/365 at Mar-a-Lago with only a 0.5 second delay.

Re:Very bad idea

Ping time of 500ms is terrible.

Re:Very bad idea

[WillAffleckUW]

Sufficient for acquisition lock. They don't tend to move around that much, so you can predict.

Didn't some /. poster who works at Amazon

Tip this CIA deal off over the weekend?

Don't mod me up unless you remember that post.

Re:Didn't some /. poster who works at Amazon

It wasn't exactly a secret; the news is that it just went operational but they've been building it for the past year with a target of this month to go live.

Honeypot, anyone?

[TexasDiaz]

And thus the biggest honeypot for security professionals was born...

Re:Honeypot, anyone?

[AHuxley]

In the past spies, cults, faith groups has to risk walking around a base, port and try making friends with gov workers, mil, contractors, staff.
It was a risk and the FBI was always looking for spies, creating fake workers to lure in spies.
Years of making friends, working out who needed a friend, who could be blackmailed, who would just give secrets, who would sell US secrets.
Years of trying to get a cult member, spy, dual citizen a job on base and have them improve their clearances over decades.

Now spies, cults, faith groups, competitors, rival contractors can download US mil/gov/NATO secrets in plain text from the comfort of their own nations, global offices 24/7.
No more standing around outside a US port, base, camp, fort. No more cover stories, paper work, spy camera, finding a photocopier on base without a paper use counter.

Re:Honeypot, anyone?

And yet in the past secrets were lost, often crucial ones, like weapon designs, cryptographic material and the identities of foreign agents. All before 'cloud' and 'internet.'

It's almost as if the whole idea of a vast secrecy complex filled with enormous quantities of information curated by thousands of people is actually stupid and infeasible. If you need a whole collection of mighty data centers to keep all your secrets then you've already lost.

Re:Honeypot, anyone?

They just need to walk around public transport looking for lost USB sticks.

Coming and going...

Are they going to sell their own data back to them for analysis?

Yeah..... What could possibly go wrong?

[WolfgangVL]

Got to read between the lines on this one.

US GOVERNMENT, Looking completely inept, while at the same time being incredibly clever just out of sight.

Trumps a Spy

[wolfheart111]

Thats the only thing I come can up with. With all the things he's doing to undermine the US makes you wonder whos trump card is really being played.

Competes with Azure Stack

[ErichTheRed]

Right now, Amazon doesn't have an equivalent to Azure Stack (the cloud in a box from Microsoft.) The closest thing they have is VMware stretching existing on-site cluster management into AWS, where you basically build out ESXi hosts in AWS and manage both on-site and cloud hosts from the same tools. That's not going to fly at an intelligence agency, no matter how many rounds of golf, free trips and strip club visits you buy the CIO, so the logical thing to do is to bring the whole thing in house.

My assumption is that this is an offline, onsite AWS, with all the capacity pre-paid for and managed by people with TS clearance or similar. $600 million buys a lot of servers and help to run your own AWS.

Re:Competes with Azure Stack

[Facekhan]

Yes, I would imagine the idea is to make the administrative/orchestration interface look just like AWS while actually being on the classified network. That way they can hire engineers who have AWS experience and just have them spin up servers the same way. They can also take their orchestration tools and ansible script.

This could potentially increase security by limiting the obnoxious roadblocks that provide the frustration incentive to break the rules on these systems in the first place. If everything on the classified system works almost the same way it does in the rest of the IT world, you make hiring easier, you make government more efficient, you reduce job frustration.

Re:Competes with Azure Stack

[kriston]

You're right. It's on-premises AWS operated by AWS and the facility is owned by the government. It has a subset of the services in the AWS GovCloud, which, itself, is a rather small fraction of the services in the AWS commercial cloud.

Amazon Launches a Big Fat Target

[StickyWidget]

Amazon Launches a Big Fat Target for Intelligence Agencies

"The AWS Secret Region is a key component of ensuring the Intel Community's ability to get owned and leaked in multi-dimensional ways via a cloud strategy. It will have the same material impact, wholly negative, on the IC at the Secret level that C2S has had at Top Secret."

There, fixed it for ya.

//Sticky

Re:Amazon Launches a Big Fat Target

[hyades1]

They'll probably wind up saving a bit of money by hosting it on Russian servers.

I think is a bad idea

Let's hope they don't sell their metadata like they do it with their customers.

Finally, entry level Amazon IT employees get to

play Snowden! Or more likely, Rosenberg.

Re:Finally, entry level Amazon IT employees get to

[AHuxley]

All contractors will now get very deep polygraph investigations. Their internet use will be watched, any contact with journalists, internet sites found to be supportive of whistleblowing, changes in spending habits, searching for holidays.
Any downloads of cryptography that could be used to contact journalists by contractors will be reported.

Two random strangers with strong accents will approach random contractors offering them cash for US/NATO secrets. That will be the local FBI. The contractor will be expected to report all such approaches.

That will keep watch over all contractors at home, when away from work, at parties, church, the gym, laundromat. Anywhere a charming spy might try to reach out to a contractor.
Medial contractors will preform long term and lots of testing on all contractors to work out their whistleblowing and spying potential. Would their faith, politics, need for wealth, need for a friend make them sell secrets? Just give all US secrets over decades to another nation due to their faith, politics?

The second new innovation will be the buddy system at work.
No contractor will be allowed to work on any CIA, NSA, NATO, 5 eye collection systems alone.
The idea that two people from the same faith, cult, dual citizens with the same politics could work together for hours would never be an issue.
The buddy system, spy proof.

how long?

[AndyKron]

How long until a ten year old hacks it?

Not the first secret region

First, the new region is actually not the first "secret" region. Amazon has been running an air-gapped intelligence community region for years: https://www.theatlantic.com/te... , there's even a marketplace for it: https://aws.amazon.com/ru/blog...

The new initiative is just an extension of it.

Secret vs Top Secret

[Stax]

This region is only Secret - Top Secret workloads have been running in C2S for years.

Read the CIA Press Release here

Re:Secret vs Top Secret

[BlueStrat]

This region is only Secret - Top Secret workloads have been running in C2S for years.

Read the CIA Press Release here

Yeah, Putin can read presidential intelligence briefing docs before the POTUS does since at least Obama.

The US government isn't so much worried about other nations learning US secrets, it's the US' citizens they are most worried about learning how they and their nation have been sold down the river by those in power on both sides of the political aisle.

Strat

Not new.

Hey look over here guys we are just doing our jobs being legit!

(where they don't advertise is still the problem)

ISDN is not packet switched

Sorry, ISDN is a circuit switched service. BRI (Basic Rate Interface) gets you, typically 2 64kbps bearer channels and a 16 kbps side channel (144 kbps total), and was intended to replace analog POTS. PRI (primary rate interface) is the equivalent of a T1, with 24 bearer channels at 64 kbps plus a side channel. Of course, you can bond channels into one higher rate channel. And there are 56 kbps per channel schemes with "in channel signalling" It maps right into traditional FDM analog signaling.

Now, it's true that a LOT of X.25 links were provisioned using ISDN - you'd ISDN with circuit switched service to your local Point of Presence, and then it's packet all the way from there. ISDN being "digital dial up" was a lot cheaper than a leased line for the same rate, although, again, there were a lot of "nailed up" ISDN links that were up all the time. You'd fork out message unit charges for that ISDN call, but it still was cheaper than the leased line.

AWS to the rescue...

[VeryFluffyBunny]

Are AWS promising to prevent the CIA from publicly soiling themselves again? They obviously can't look after sensitive data for themselves.