Init0

Tech News That Matters

Federal Cybersecurity Advisor Floats Executive Order on Cloud Service Providers – Nextgov

Federal Cybersecurity Advisor Floats Executive Order on Cloud Service Providers – Nextgov

Cloud service providers should not be allowed to market baseline security features as add-ons requiring special licenses, according to a prominent member of a new federal advisory committee at the Cybersecurity and Infrastructure Security Agency.

“You should not have to pay extra for security, I’m sorry, that is immoral for companies [to charge for],” said Alex Stamos, partner at the Krebs Stamos Group, who called for executive action on the matter. “I’d love to see an executive order that any cloud product that is bought by a federal agency has to support [multi factor authentication], [single sign on] and basic audit in the most base paid package.”

Stamos is one of 23 members on CISA’s new federal advisory committee which met for the first time Friday. The firm he started with former CISA Director Christopher Krebs consulted with Solar Winds after hackers infiltrated the company and subsequently compromised several federal agencies last year. Stamos also directs the Stanford Internet Observatory. Like Krebs, he built up credibility in the community while dealing with hyper-politicized election security issues.

The idea that it is simply wrong for cloud service providers to upsell security features is not new among policy makers. The aftermath of the Solar Winds event highlighted challenges tracing the attackers’ steps associated with logging capabilities being tied to higher-cost licenses at Microsoft. 

Stamos raised the issue during a discussion of how to turn the corner on cybersecurity hygiene, an area for which CISA Director Jen Easterly sought recommendations and asked George Stathakopoulos, Apple vice president of corporate information security, to lead the work.

“It is not just Microsoft, it’s a huge number of cloud companies,” Stamos said. “Apple to their credit does not do this. But a huge amount of cloud companies charge you more money so that you have to be on an enterprise license to have MFA or SSO. They need to be called out and shamed.  Honda won’t sell you a car without airbags unless you pay extra, right? The airbags need to be in the baseline.” 

Other proposals raised for motivating companies to implement appropriate security measures ranged from providing tax incentives and protection from liability when they do, to enforcing fines when they fail to.

Stamos highlighted the difference in capabilities within the private sector to stress his point about the responsibility of cloud service providers.  

“Give it to everybody who’s paying five bucks a month or 10 bucks a month for your product, do not charge 20 or 30 or $50 a month to get the basic security functions,” he said. “It’s just a completely unethical thing. For big businesses to …….

Source: https://www.nextgov.com/cybersecurity/2021/12/federal-cybersecurity-advisor-floats-executive-order-cloud-service-providers/359751/