Cloud Services Expose The Balancing Act Between Security And Privacy
The most secure system is one to which there is no access. Likewise, the most accessible system is one without any security. In between these extremes lie the tradeoffs in either direction that make up the delicate balancing act of cybersecurity. Cloud computing has transformed the way that computing infrastructure is offered, allowing for a new age of accessibility. Unfortunately, malicious actors are taking full advantage of the low barrier to entry and launching their cyber-attacks more effectively through cloud hosting platforms. The Federal Government is looking to remedy this vulnerability through customer identification regulations, but this solution could ultimately restrict Americans’ privacy while failing to achieve its goal.
An outgoing Trump administration executive order titled “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities” tasked the Secretary of Commerce to put forward regulations on U.S. cloud hosting providers that would require them to identify foreign customers. The administration claimed it is “extremely difficult for United States officials to track and obtain information through legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities.” A 2023 executive order added another directive focused on reporting foreign attempts to use these cloud hosting companies to train AI models for cyber-attacks.
The key proposal of the executive orders centers on the implementation of a know-your-customer (KYC) program that will establish “minimum standards for IaaS providers to verify the identity of a foreign person connected with the opening of an Account or the maintenance of an existing Account.” KYC is primarily used in the financial industry to prevent fraud through the identification of customers and any risks associated with doing business together.
Expanding KYC to cover cloud service providers would be a significant development in the application of the regulation. The extent of the abuse of cloud services by hackers is not fully clear which makes it harder to justify such an onerous and invasive requirement. The regulation is focused on foreign customers, but there are plenty of examples of the federal government promising to implement similar programs while respecting the rights of Americans but failing to do so. Does the malicious behavior of some customers mean that all the others must deal with the removal of their privacy?
An additional concern is that these KYC regulations would allow for further data harvesting by Big Tech. While a skeptical view of these large corporations is warranted, the fact remains that none so far have voluntarily developed their own KYC programs. Additionally, they have pushed back on the plan claiming that it “could cost the industry billions of dollars in administrative cost” and that nation state hackers would simply find ways to thwart the identification requirements making them mostly ineffective. It seems that Big Tech is not keen on collecting this data because it is not currently profitable to do so.
The executive orders and their proposals have real merit. Cloud services give foreign adversarial nations a key advantage in conducting cyber-attacks against America. Should America’s technology sector be so available and profitable that it imperils national security? Is the mere possibility of impropriety enough to hamstring the federal government from trying to defend the nation from foreign cyber-attacks? There are no easy answers to these questions, but what is clear is that cybersecurity is a delicate balancing act between usability (or privacy) and security.
These executive orders advocating greater oversight over customer identification for cloud service providers have the potential to further restrict the vital privacy rights of Americans. Their implementation may not even fix the problem they aim to solve. Even though the public comment period for the propositions has ended, the evaluation of their methods and tradeoffs will continue. Americans should constantly be weighing the benefits of any cybersecurity measure against the impacts that it will have on their ability to use digital technology without infringement.