UK intelligence agencies will store classified material using Amazon Web Services (AWS), the Financial Times reported yesterday. MPs have raised concerns about the deal, which would put sensitive information about UK citizens in the hands of a US company. But experts told Tech Monitor that accidental exposure is a greater security risk – and would be just as likely with a UK-owned cloud provider, if not more so.
The deal, which was not disclosed publicly, will see UK agencies GCHQ, MI5 and MI6 use an AWS-based system to store and analyse top-secret intelligence. Other government departments, including the Ministry of Defence, will also use the system during joint operations. The contract is estimated to be worth between £500m and £1bn, experts told the FT.
Top-secret intelligence will be held in the UK and Amazon will not have access to it, according to the FT report. Nevertheless, in a letter to home secretary Priti Patel seen by The Guardian, shadow security minister Conor McGinn wrote that reports of the deal “raise serious questions about the wider security safeguards in place when it comes to the potential risks of outsourcing critical elements of UK national security infrastructure to non-UK-based companies”.
The deal does present some concerns over data sovereignty, the ability for countries to retain control over data created and stored within their borders, says Dr Tim Stevens, head of the Cyber Security Research Group at King’s College London. These concerns typically derive from the fear that a foreign-owned cloud or internet service provider might be instructed by its home government to share data.
“Foreign companies have many masters, including the country in which they situate their headquarters,” Stevens said. “There are obvious sovereignty issues, which have become more pronounced as the US has in recent years valued transatlantic relationships less than in previous decades.”
But this is not the biggest risk presented by the AWS deal, says Stevens. “I don’t expect the problem here to be one of US-UK trust, liable to change with geopolitical shifts,” he says. “Far more likely – although AWS has a very good track record in this respect – that something accidental occurs that exposes UK secret data to prying eyes. That would be the same if it was a UK company hosting this data.”
The absence of a UK-owned hyperscale cloud provider means the government has little choice but to buy cloud services from US-owned companies, Stevens added. “The bottom line is that the UK would always have had to find a private-sector partner for cloud services because the UK doesn’t have that capacity and hasn’t been willing to invest in developing one,” he said. “Other countries are in a similar position, which raises questions about US companies as single points of failure.”
The fact that the deal was not reported publicly is also not unusual, Stevens said. “Most defence and security procurement is not a matter for public discussion. If it were, nothing would get done.
“However, this is precisely the sort of decision that should be reviewed by the relevant parliamentary committees and the Intelligence & Security Committee of Parliament. There is clearly public demand for examination of this, although I would dispute the view that the decision itself was somehow illicit or underhand.”
Other European countries have made moves to protect their ‘cloud sovereignty’. France and Germany have collaborated on a European Secure Cloud certification, and hyperscale cloud providers have partnered with local tech companies to offer services to their respective governments. In France, for example, Capgemini and Orange have built a platform called Bleu, based on Microsoft’s cloud services, for use by the French government. Google Cloud has partnered with Thales in France, and T-Systems in Germany, for similar services.
The UK, by contrast, “seems to take a ‘don’t care’ approach and is quite comfortable with the role of the US cloud providers,” Mike Small, distinguished analyst at KuppingerCole, told Tech Monitor last week.
Ransomware attacks on the increase in the UK
News of the UK intelligence agencies’ contract with AWS coincided with the revelation by GCHQ’s boss that ransomware attacks on British institutions have doubled during the past year. The reason for this is simply that ransomware works, said Jeremy Fleming, head of GCHQ, at The Cipher Brief Annual Threat Conference. “It just pays.”
This uptick is not a surprise and is part of a global problem, David Bicknell, principal analyst at GlobalData, told Tech Monitor. Bicknell says there is a need for more practical guidance from the National Cyber Security Centre [NCSC], the UK’s body providing advice on cyber threats. “Discussing 'red lines and behaviours' and going after 'links between criminal actors and state actors' is of little practical use to UK organisations facing ransomware threats.”
Ransomware threats targeting the cloud are also on the increase, as criminals target the treasure trove of data stored in such services. Earlier this year, a study by cloud security provider Ermetic found that "at least 90%" of AWS S3 cloud storage instances are vulnerable to ransomware attacks, although this is due to misconfiguration by users, not the underlying security of the platform. "It's not a matter of if, but when, a major ransomware attack on AWS will occur," said Shai Morag, CEO of Ermetic.