Atlantic Council research focuses on cloud risk management across critical infrastructure sectors

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), published new research that focuses on cloud risk management in critical infrastructure (CI) sectors like healthcare, transportation, logistics, energy, defense, and financial services. The Atlantic Council research also examines cloud adoption and explores data storage and availability; scale and scalability; and continuous availability as factors determining its operational benefits for a sector’s functionality.

Authored by Tianjiu Zuo, Justin Sherman, Maia Hamin, and Stewart Scott, the research report titled ‘Critical Infrastructure and the Cloud: Policy for Emerging Risk,’ aims to raise awareness of the risks that a potential cloud compromise or outage poses to CI and, in so doing, to make the case that these risks necessitate the maturation of current policy tools, and creation of others, to address these risks. “It does not seek to vilify cloud adoption by CI sectors or preach a return to on-premises data processing. Instead it suggests that CI sector regulators must consider cloud security and resil-ience a key question within their remit.”

The Atlantic Council report highlights that cloud security is no longer just about the security of services, but about the durability of infrastructure underpinning fundamental economic and political activities. For policymakers, that recognition must now become as tangible as it is urgent.

The authors describe two features that make the risk profile of cloud computing markedly different from that of previous computing paradigms and that must inform the design of cloud risk management policy at a national level: compounded dependence and delegated control and visibility. 

“Compounded dependence describes how widespread cloud adoption causes a huge range of organizations to depend upon a few shared linchpin technology systems, including unglamorous subsystems within the cloud, where the failure of one node could precipitate a cascading collapse,” the report outlined. “Delegated control and visibility describe how organizations that adopt cloud services cede control of and lose visibility into the operations and failure modes of these technology systems, posing challenges for both businesses and policymakers seeking to measure and manage cloud risks.”

The research report identifies that the factors of compounded dependence and delegated control and visibility pose challenges to managing potential risks to the cloud with existing policy tools, which remain more focused on end products and services than their shared architecture and infrastructure. These risk factors will only become more pronounced as organizations accelerate their move to the cloud, and policy structures designed to manage them will be essential to smoothly navigating the ongoing transition towards cloud computing as the dominant computing paradigm.

The Atlantic Council report disclosed that the healthcare sector has quickly recognized cloud computing’s benefits. One industry survey, for instance, reported that 35 percent of healthcare organization respondents already store more than half their data and infrastructure in the cloud. In 2020, companies spent $28.1 billion on healthcare cloud computing, with the number projected to increase to $64.7 billion by 2025.

The healthcare sector generates enormous amounts of sensitive data, much of which it stores in the cloud. Electronic health records (EHRs), which contain data such as a patient’s medical history, diagnoses, and medications, are increasingly common in healthcare for their efficiency and interoperability, as are medical sensors and monitors that generate large amounts of data. Other healthcare-adjacent systems—like insurance systems, Health Insurance Portability and Accountability Act (HIPAA) compliant communications, laboratories and testing labs, crisis coordination networks, and supply-chain management practitioners—have also largely transitioned to the cloud.

“While it is challenging to determine how catastrophic the impacts of an outage of any single service or CSP would be, the cloud is increasingly critical to the efficient function of many healthcare organizations,” the authors identified. “While some practices may be able to revert to pen and paper in the event of a cloud outage, others may not, and most will suffer from the change. In one incident, a ransomware attack on Allscripts’ cloud-based EHR system forced healthcare providers to fall back to paper prescriptions, possibly delaying life-saving care and raising the risk of fraud and abuse.”

They added that the cloud offers real benefits, especially for small providers: cost savings, ease of standing-up functionality without an in-house IT team, and (potentially) increased security over on-premises deployments. “There is a reason why the various federal cloud strategies and poli-cies, as well as the new National Cybersecurity Strategy, emphasize encouraging cloud adoption: Adoption must match more fulsome, fine-grained, and effective scrutiny of CSPs and their infrastructure. Healthcare’s cloud transi-tion will continue, so examining potential outage impacts and the degree of systemic vulnerability to a few points of failure are urgent priorities.”

The transportation and logistics sector plays a vital role in US and global supply chains. For instance, the freight shipping industry moves some $19 trillion of goods over land in the United States each year. The European Union (EU) similarly houses the world’s largest ocean shipping fleet and controls around 40 percent of the world’s tonnage, moving everything from oil and gas to cars and electrical appliances. The report also identifies that the transportation and logistics sector must contend with seasonal swings and weather emergencies, where situations call for additional computing power to solve challenging optimization problems on the fly. 

The authors outline that the transportation and logistics sector appears to currently use the cloud more for planning systems than real-time operational decisions, where failure could have devastating effects. “However, even short-lived delays in shipping and transportation can have costly economic effects. Moreover, industry projections and cloud-feature development suggest that the cloud will become more critical to the sector’s safe functioning in the future,” they added.

The authors determine that the energy sector, as Presidential Policy Directive 21 (PPD-21) puts it, is ‘uniquely critical because it provides an ‘enabling function’ across all CI sectors.’ Increasingly, energy has moved away from manual systems to automated ones reliant on the cloud for managing and making use of data. The energy sector looks to the cloud to update aging interfaces and increase data-transmission efficiency.

“As in healthcare, major energy players—from oil-and-gas companies to electricity-delivery utilities—are adopting the cloud for functions ranging from auxiliary data processing to core operational capabilities,” according to the Atlantic Council report. “The impacts of potential cloud compromises on energy availability are hard to predict, especially, as the interconnected nature of the energy supply chain and grid could magnify the unavailability of one component or system into wide-spread cascading effects.” 

While policymakers have begun to grapple with the interconnection of cyber and energy—for example, the recent National Cybersecurity Strategy notes that cybersecurity will grow increasingly important for next-generation energy technologies such as ‘advanced cloud-based grid management platforms,’ and pledges to ‘build in cybersecurity proactively through implementation of the Congressionally-directed National Cyber-Informed Engineering Strategy’—more work is required to fully map out the energy sector’s cloud dependence as well as the potential impacts of a devastating cloud compromise for the sector.

The authors also identified that rates of cloud use in defense seem likely to increase as defense contractors become more acquainted with its risks and benefits. DOD discusses how the ‘episodic nature’ of its mission makes the cloud’s scaling capabilities an alluring feature in its 2018 Cloud Strategy. “Because the US military and its contractors have been slow to migrate critical systems to the cloud, a cloud compromise would likely not wholly hobble national defense. Less clear is how significant the impacts of such an event would be on important processes such as supply chain and logistics planning. If current defense sector cloud partnerships are successful, then the cloud may grow much more critical to US national defense soon,” they added.

The Atlantic Council report highlights the growing reliance of critical infrastructure (CI) on cloud services and the unique risks associated with this transition. As more entities adopt cloud services, the systemic nature of its associated risks will compound. The report recommends increased fact-finding and awareness as a key first step for policy. It is crucial to address the cloud’s criticality in metrics used to determine system resilience. Judiciary policy-making should engage with cloud risks to create a more robust regulatory framework for the cloud’s growing role in critical national functions.

The report concludes with policy recommendations to help policymakers gain more visibility into and eventually a better hold on cloud risks for CI sectors, building on the 2023 cloud security report from the US Department of the Treasury and the 2023 National Cybersecurity Strategy. 

The Atlantic Council report recommendations center on equipping Sector Risk Management Agencies (SRMAs), with appropriate tools to understand cloud usage and risk within their sector, as well as mapping out the beginnings of a structure for cross-sector cloud risk management to facilitate greater transparency and oversight. These ideas are a start, rather than an end state, for cloud risk policy—visibility is a prerequisite for risk management, but other tools will be required in concert to fully confront the problem.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.