The Department of Homeland Security’s Cyber Safety Review Board launched an investigation into the security of cloud computing platforms, which follows the state-sponsored hack of Microsoft Exchange Online in July that led to the theft of emails from the U.S. State Department and other government agencies.
DHS Secretary Alejandro Mayorkas announced the review on Friday, which will examine the attack against Microsoft attributed to China-linked hackers.
The probe will also examine whether there are potential steps available from federal authorities, private industry or the major cloud service providers to strengthen cloud-based authentication and identity management.
“Organizations of all kinds are increasingly reliant on cloud computing to deliver services to the American people, which makes it imperative that we understand the vulnerabilities of that technology,” Mayorkas said in the announcement.
Microsoft in July said a suspected China-backed espionage hacking group, which it calls Storm-0558, used forged authentication tokens to gain access to about 25 different organizations, including some government customers.
The attackers used the forged tokens to gain access to a Microsoft consumer signing key.
The targeted attacks involved the theft of some fairly sensitive emails from the U.S. State Department as well as emails linked to U.S. Commerce Secretary Gina Raimondo, during a time of heightened tensions between the U.S. and the People’s Republic of China.
Microsoft came under criticism from federal authorities and U.S. legislators, as officials detected the intrusions from reviewing security logs that were not available to customers unless they paid additional fees to Microsoft. After extensive blowback, Microsoft agreed to make these logs available to customers free of charge.
U.S. authorities have raised concerns for months now about how cloud computing providers manage security services, particularly regarding whether customers should have to pay additional fees for security or whether that security should be built into the platform.
Microsoft has encouraged customers to move their data into the cloud following the attacks from state-linked hackers against SolarWinds and other organizations in 2020, citing the ability to recognize these attacks and notify customers.
Google Cloud has also positioned itself as a robust security brand, which can provide end-to-end protection for the enterprise user. The company has accused Microsoft of engaging in anti-competitive practices to prevent on-premises customers from seeking other cloud providers.
In March, the Federal Trade Commission opened up an inquiry into the business practices of cloud providers and how these practices impact security. Part of that process was to seek public input on cloud competition and security issues.
A spokesperson for the FTC told Cybersecurity Dive the agency is “reviewing the comments received and have not decided on any possible next steps.”
How customers set up controls for software and hardware operating in cloud environments are widely misconfigured, a leading factor related to security issues, according to Qualys research.
“Organizations are largely leaving most security settings as is in cloud infrastructure, which means roughly half of all security settings are in a state which could allow an opening for threat actors to gain access to critical cloud computing resources,” said Travis Smith, VP of the threat research unit at Qualys.