After a Recent Hacking—What are the Risks and Rewards of Cloud Computing Use by the Federal Government?

Cloud computing offers significant opportunities to increase government efficiency, as well as customer service-like benefits for the public. The federal government has recognized these benefits and is increasingly using cloud computing services for things like access to shared resources such as networks, servers, and data storage. But without effective security measures, these services can also make federal agencies and their computer systems vulnerable to cyberattack.

This vulnerability was reported in July, after the State Department and other agencies had their cloud-based emails hacked by Chinese-based threat actors.  

What should the federal government do to better secure their cloud computing services from attacks like these and what are the risks to taxpayers? Today’s WatchBlog post looks at our recent report and other work.

Image

Where are the vulnerabilities in cloud computing and what are agencies currently doing to protect these systems?

For over a decade, federal agencies have increasingly used cloud computing to address their information technology (IT) needs and to perform their missions. Cloud computing offers federal agencies a means to buy services more quickly and possibly at a lower cost than building, operating, and maintaining these computing resources themselves. So, it can save taxpayers money. But the vulnerabilities also have significant costs.

We recently looked at how four federal departments—Homeland Security, Treasury, Labor, and Agriculture—use and protect cloud computing services.

• Homeland Security moved a system to the cloud that they use to help with sharing information and collaborating with various agencies and organizations to address and respond to major national events (e.g., major sporting events, hurricane response, and other law enforcement activities).
• Treasury used cloud to replace multiple aging IT systems that manage the daily business activities of the bureau, such as processing payments.
• Labor acquired cloud services to allow it to consolidate case management systems that are used to, among other things, track congressional correspondence, and interact with the U.S. workforce and retirees. 
• Agriculture has used cloud to improve how they store and manage documentation used to help manage federal lands.

How are agencies protecting cloud computing systems?

The above described activities are important, and so is ensuring they are protected from cyberattacks and disruption. But when we looked at how these departments protected their systems, we found that they did not always follow key practices for doing so. For example, we found that the departments had only fully performed continuous monitoring for 3 of 15 systems we reviewed. For the remaining 12 systems, the departments had only partially implemented continuous monitoring processes. This leaves departments with less awareness of changes in the security risks of the system.

We’ve previously reported on other concerns with federal use of cloud services. For example, in 2019, we surveyed 24 federal agencies about their use of a federal program for protecting cloud services. At the time, 15 of 24 agencies told us they didn’t always use this program. Departments also reported limitations in their ability or methods of overseeing these services. Specifically, continuous monitoring against attacks had to be done manually and was not automated.

Image

What more should the federal government be doing to protect the cloud?

In our latest report, we made 35 recommendations for Homeland Security, Treasury, Labor, and Agriculture to improve their cloud security practices. These included ensuring that they are fully documenting who has access to systems, that they are continuously monitoring against attacks, and that they are adhering to the guidance provided for protecting these systems, among other things.

We are also waiting for other federal agencies to take action on 12 of our 25 recommendations from 2019. These actions would also improve the security of these critical cloud systems and help prevent disruptions that could impact the public. For example, we recommended that the Office of Management and Budget, which oversees implementation of a federal program for authorizing agencies’ use of cloud services, establish a process for monitoring and holding agencies accountable for their use and protection of cloud services.

Learn more about our work on cloud computing by checking out our latest report.

• Comments on GAO’s WatchBlog? Contact blog@gao.gov