news

Legislators Gear Up to Take On Cloud Outages

admin
Spread the love

It hasn’t been news in the tech sector for years, but as business worldwide turn to cloud computing as a necessary, everyday solution, they find fewer and fewer companies who offer it. The demand is immense: RightScale data from 2021 (published 2022) found that 57% of companies planned to move workload to the cloud, and small- to mid-sized businesses increased spend on cloud services Businesses have certainly taken note. Data published this month This is a matter of national, and indeed international security. But governments are only just keeping up with the magnitude of the risk.

US: Federal Secure Cloud Improvement and Jobs Act

The Federal Secure Cloud Improvement and Jobs Act of 2021 is a step in that direction, mandating new assessments and oversight protocols for cloud computing products, but that only holds for the Federal government. Third-party infrastructure is exempt, even for the 16 sectors that CISA defines as “critical infrastructure” (health, defense, manufacturing, nuclear, etc.).

Instead, the Biden administration has leaned on private companies to regulate themselves as best they can. At this month’s National Cyber Workforce and Education Summit, Accenture, the Linux Foundation, and NPower each promised the government to work on cloud security initiatives, mostly in a training and certification capacity. The message: “You’ve got this, right?”

It’s a curiously hands-off approach, especially for an administration that regularly declares tech and security as a priority. Congress has no appetite either for regulating third-party cloud infrastructure, whatever the stakes.

In 2019, shortly after a breach of Capital One’s AWS-hosted data, Representatives Katie Porter (CA-D) and Nydia M. Velázquez (NY-D) wrote the Financial Stability Oversight Council at the Treasury, demanding that cloud storage in the financial industry be counted as “systemically important financial market utilities” (SIFMUs), as defined Perhaps it was the chaos of the change in administration; perhaps there’s resistance in the Treasury; but Reps. Porter and Velázquez’s proposal went nowhere. (Rep. Porter, a longtime advocate of cloud service regulation, did not respond to InformationWeek’s request for comment.)

UK Delays While EU Moves on DORA

The good news, if you’re in favor of this kind of regulation (or the bad news if you’re not) is that regulatory bodies across the Atlantic seem to be sliding towards a new compliance regime for cloud providers along these lines.

A paper from the UK Treasury, published last month, revealed that Treasury and Bank of England have been mulling a new regulatory framework for “critical” cloud-based third-party services since 2019. (These are services “critical” to the Treasury, which are not necessarily financial.) They propose fairly broad powers to enforce standards and investigate violations. This isn’t legislation, of course; that step, the paper notes, will come “when parliamentary time allows,” and since Britain won’t have a government before September, we will likely be hearing more of this in 2023.

Meanwhile, on the Continent, the European Council and Parliament came to an understanding in May that the (Digital Operational Resilience Act (DORA), a regulatory framework that is not yet in law, will be able to “maintain resilient operations through a severe operational disruption” in finance, including on cloud platforms. The ponderous process of turning the proposal into law will take months and perhaps years — each member government has to approve it, and a host of agencies like the Banking Authority will have to come up with technical standards.

This is not some European curiosity. DORA will require non-EU providers (AWS, IBM, Microsoft, AliBaba…) to establish EU subsidiaries, which could potentially change the compliance posture of these companies worldwide. And when it comes to regulation, when the EU sneezes, continents catch cold. GDPR caused a ripple of copycat privacy legislation all over the world, including California and India, and changed internet user experiences everywhere. DORA might have a similar effect.

But until then, cloud security is purely a business matter. We’ve got this, right?

What to Read Next:

Special Report: How Fragile is the Cloud, Really?

June 2022 Tech Policy Bulletin: From USB-C Chargers to Supreme Court

Ukraine Fallout: Connectivity and Cloud Services in Flux

How to Architect for Resiliency in a Cloud Outages Reality