Microsoft last week lost a potential European customer for its cloud-based Microsoft Office 365 product over concerns about the Patriot Act allowing U.S. government access to to private data. UK defense contractor BAE Systems said they’d changed plans on advice of their lawyers. Smart lawyers.
If we have to rely on lawyers for data security advice, we’re in real trouble.
Frankly I think the US Government and the Patriot Act would be the least of their problems. If a defense contractor put their data on a public cloud service it would be an open invitation to Iran, North Korea, China, and others to try to steal it.
It boggles my mind that BAE even thought about putting their data in the cloud, yet stories quoting company officials show they were about to pull the trigger.
In many industries — but especially defense — there must be absolute data security. They traditionally have had a rigorous process to control where data is kept, how it is kept, how it is accessed, who can access it, etc. I am troubled by the notion of a major defense contractor letting an external service store their data and have them access it across the public Internet.
How much were they really saving? How much were they really risking?
Along the same lines there’s the supposed cyber attack on the Springfield, IL water system. Officially they have stated that nothing happened. Okay, fine. But this, too, begs the question: why are utility control systems even accessible from the Internet?
I appreciate the value of being able to call an engineer, have him/her access the system from home, and help fix a problem. There might be a few legitimate reasons to make critical internal systems accessible from the Internet. However if you choose allow the connection, then: (1) you need use the best security tools to manage the connection, and; (2) you need to monitor the connection and be able to sever it at the first sign of trouble. That didn’t appear to happen in Springfield
These are both examples of a generational gap in experience. By laying off all the older engineers and IT experts, industry has created an experience gap in its technology work force and bonehead moves are taking place as a result. Someone at BAE had no clue it might be a bad idea to put their data on the cloud.
How stupid was that?
The same thing happens in politics, when people/governments put in hard term limits. All the experience gets shunted out the door, and lobbyists are left running things.
A lot of the time, the lobbyists are the same elected officials that were recently shown the door due to term limits. Now, instead of getting paid by us for their expertise, they now are now paid by some corporation. Whose interests do they now represent?
I sometimes think we should just do away with Congress and simply hire lobbyists to represent the country. At least lobbyists listen to the people who’ve sent them to Washington.
The problem with that is, *I* didn’t send those lobbyists to DC, and none of my friends did, either. If it were run by lobbyists (more than it already is, of course), the political system would be open to being bought even more than it already is. Which is difficult to imagine, I know.
Twenty years ago, one of the “Big Four” UK banks appointed an new CEO. He said he was shocked that he couldn’t find anyone over the age of 40 at Head Office. The rest is history.
Oh, and as for the BAE story, the history of defence procurement in the UK is a forty-year, multi-billion pound saga of dogged incompetence and purposeless waste. Is anyone surprised to find that defence IT procurement is affected by the same malaise?
“The same thing happens in politics, when people/governments put in hard term limits. All the experience gets shunted out the door, and lobbyists are left running things.”
I’d be tempted to believe you if congress didn’t have plenty of multi-termers. The problem isn’t noobs fooled by lobbyists; the problem is greedy people snared by lobbyists.
In fact, I can make your argument against the old-timers: They get too comfortable with the lobbyists and due to familiarity, Stockholm Syndrome, whatever, lose the ability to say “no” to them.
‘It boggles my mind that BAE even thought about putting their data in the cloud, yet stories quoting company officials show they were about to pull the trigger’ …
Exactly. The main point appears to be missed here …. Why would a senior IT executive of a global defence contractor even consider being part of a panel discussing the technological aspects of a shift to Cloud Computing? Should I be concerned if I was a customer of this organisation?
If you understand Game Theory you’ll realize that term limits spawn incivility in legislatures meaning members are less likely to be able to work together because they know the relationship is short term. This is the same reason people don’t like used car salesman. The used car salesman knows the relationship is limited, so he sokes his customers.
Where are these “hard term limits” and when can we enforce them on our current congress?
The problem is that many of these companies no longer have the expertise to maintain their own networks. They’ve gotten rid of all those “over paid” people who managed that stuff. (Why should you when Gmail is free?) And, now they have no choice than use a third party to hold their data. The reality is that the third party firm might be able to secure your data better than you can.
President Johnson once said that when you give someone your balls to hold, the temptation is for that person to squeeze them.
You give a third party company something that is extremely valuable to your firm (your family jewels so to speak) and that third party firm is mighty tempted to squeeze them just a bit.
I’ve spent the last couple of years moving people OFF the cloud and saving them a ton of money – the last place, I slashed the budget by 2/3rds! But then, I’m one of those IT experts who was around for the first bubble, so I know better.
Whoever came up with the term “The Cloud” was a marketing genius. It sounds so soft, safe and fluffy. It’s a much more manager-friendly term than “Managed Hosting”, which is what we used to call it.
If anything, I find it funny watching these “kids” in Bubble 2.0 tie themselves to all these third-party companies and end up getting locked in when prices go up *cough* Google App Engine *cough*.
For too many of these companies, ‘cloud computing’ is an euphemism for ‘cheap storage’. Sounds great in theory until their first external audit comes along and the auditors start asking all sorts of uncomfortable questions.
I dunno. The “cloud” as a metaphor sounds transient, wispy, and unreliable, in the typical case. In the worst case, it will go “funnel” on you and rip you to shreds. Or snow you. Less dramatically, you’ll probably get soaked. I could go on.
Cloud computing would only be sort of smart if there was a legacy of good data security. And the history of computing has been anything but.
News flash: British military companies are run by irresponsible, incompetent bean counters. At least their lawyers are on the ball.
This brings to mind the recent rash of serious security compromises of Japanese military companies. Just because it’s in-house, doesn’t mean there’s anybody qualified running it.
Bean counters maybe, but really it’s the IT department’s fault. They put together some spreadsheet that has a triple index matrix, mapping dollars to CPU core count to OS to criticallity. Some made up numbers to justify the total spend in the IT department.
These numbers typically don’t account for economy of scale and are padded to purchase the “sweetest” hardware available. Then there’s the pad to keep the business from expanding, and adding any effort for the hardware admins.
So you get prices like $1500 per month (actual project in 2006) to house a 1U server that will have zero touch by the on-site admins, and managed by the dev team instead.
Compare that to what Amazon is charging, and you get my point. IT department just priced themselves out of business.
I’ve been hearing “It’s the IT department’s fault” a lot over the last few years. There’s certainly a lot of truth to that, however…
In a corporation, the ultimate responsibility, notwithstanding the current insane and corrupt legal and regulatory system, is supposed to rest with the CEO.
That means that if a corporation’s IT department is allowed to get so out of control as to charge $1-2K a month to keep a single dinky VM running, then ultimate responsibility lies with the executives *above* the IT department, and with the CEO in particular. If there’s a problem in any department, it’s the CEO’s job to see that it gets fixed.
In this case, it was a double failure: they let their IT get so out of control that they wanted to do an end run around them, and then they proposed an end run that’s catastrophic for national security.
I’m sick and tired of CEOs getting a free ride for neglecting their basic responsibility to run the companies they’re paid exorbitant amounts to actually run.
Agreed. Totally and utterly stupid. And I think these problems will repeat elsewhere.
Yes, surely cloud-computing has it’s niche but even a newly qualified IT graduate should be more than capable of spotting the flaw in using it for sensitive data. Heck, I can see this and I have no IT degree. True, I started using computers in 1981 so have some experience, but cloud storage is a relatively new concept. This must be egg and milk for current university syllabuses. Or am I naïve?
My knowledge is old (much like me?!) so maybe experience does count after all… I say this probably more to convince myself of my worth!
Nope.This scenario is just plain “stupid” after all. No excuses for BAE or the many other companies who will follow.
Perhaps the companies offering cloud-based services should share the responsibility for educating customers?
More and more systems are connected. https://www.darkreading.com/insider-threat/167801100/security/attacks-breaches/224400280/security-incidents-rise-in-industrial-control-systems.html
There was another study (this was my industry networking and industrial embedded systems) I can not find now. They figured out that something like 14% of the systems the engineers said were not internet accessible were. Really scary!
Stuxnet is only the first, and it was on our side. Cringley has posted the warning. Yes, everyone will ignore it, until it is too late.
It’s not just defense contractors, but regular corporations and schools putting data like that out there in the cloud. Do you think that some Fortune 500 company is really thinking that their big rival (or even groups like PETA) aren’t out there hacking away to get at data they’ve stored in the public cloud?
That ‘I’m with Stupid’ moniker is very apt, Bob.
Please stop using the expression ‘begs the question’. You do not know what it means. Look it up.
What you mean is ‘raises the question’.
Also, judgment is spelled ‘judgment’ in America. Maybe, you were trying to make some UK reference with your spelling?
Nice! Cringely needs an editor to catch the little gaffes. He should thank you for donating your time….
I was tempted to make the same comment about “begs the question”. Now I don’t have to.
“Begs the question” means assuming the answer to a question not asked. Like, “When did you stop beating your wife?”
“Raises” is what Bob meant.
There’s another aspect to this too you know…
For example, Google offers servers that you can co-locate within your business to have a private “cloud”. This lets Google target Government, and other organizations that want to use their services (like Gmail, Google Calendar, etc) but don’t want to have it publicly exposed.
I’m sure MS has the same thing.
So BAE is probably saying that they don’t trust the Microsoft Office360 stuff period – not enough to run it on their own network even, as they are probably running a private cloud version of it, not using the public cloud.
BTW, it’s X-Box 360 and Office 365. (Sorry, Kyle got me started.) However, although the BAE lawyers found the cloud untrustworthy, I doubt they themselves proposed a complete system that would be more trustworthy. I don’t trust the cloud either, yet I’m well aware that I don’t back up enough to feel that I’m 100% protected from data loss. I don’t know if Microsoft offers PIE (Pre-internet encryption…Steve Gibson’s term for a secure cloud) but that would be one way to solve the remote storage security issue.
So that would make it PIE in the sky?
15th!
PS – electrons don’t exist!
Am I missing something? If your email uses IMAP, like most every corporation in the world, doesn’t it have to be on a publicly accessible server somewhere? … but I guess if your IT guys are better than Microsoft or Google’s IT guys on data security, then you should stick with your guy’s “cloud”.
That said, BAE is said to have a lot of things that it doesn’t want the US Government to know about — usually involving its contracts with same. Like
https://www.fcpaprofessor.com/category/bae
Yes, Jay, you are missing something. The issue here is who control of the servers, and not whether email transits the Internet (though it should be encrypted while in transit anyway).
Addition to above : If your employees need to access email easily when out of the office, that is.
We had a terrible accident here in Missouri, in the middle of the USA. The power utility was operating an energy peaking facility. During low demand times it would pump water to a hill top reservoir. Then during peak times they would drain it to produce additional electricity.
One night they pumped in too much water. It crested the top of the reservoir and compromised the structure. The tidal wave of water wiped out a park and almost killed the park ranger and his family.
There was no one on site at the facility monitoring the operation. They were running it remotely. They knew their level sensors were not working correctly. They didn’t have an redundant sensors. They didn’t have a remote camera. They didn’t…. well you get the picture. It was a disaster waiting to happen, and it did.
Common sense is an art. It takes an engineer years and years to learn. You don’t learn it from books. You learn it from experience — both first hand and through the mentoring by older, more experienced engineers. Bob’s generational gap in experience is a very real and serious problem. It is showing itself all over the world.
In the technology world we work with and control the forces of nature. We harness vast amounts of energy and redistribute it in a variety of ways to support society. We use chemical reactions to produce a large number of materials and products. Managed properly things can operate very safely and for decades. Throw in some inexperience and you have the makings for terrible consequences.
This BAE story is an example of a much bigger systemic problem. We now have too many inexperienced people making decisions and operating on assumptions on things they do not understand or respect.
Bob The Cringe wrote: “… why are utility control systems even accessible from the Internet?”
Bozo asks: “… why was a utility control system even accessible from the Internet BEHIND A THREE-LETTER PASSWORD?”
:^)
These are the same idiots that are getting sued by a US Marine that got the Congressional Medal of Honor for defamation after he tried to stop them from selling high-end rifle scopes to the Pakistani army and thus to the Taliban/Al-Qaeda forces. A major HR mistake from a manager who had no clue as to how to deal with an employee who had left the company.
This company is going downhill fast!
https://www.bbc.co.uk/news/world-us-canada-15949418
https://www.marinecorpstimes.com/news/2011/11/ap-medal-of-honor-dakota-meyer-sues-bae-systems-112911/
Here’s a thought. Don’t equate a defense contractor using “the cloud” with ‘putting defense information into public hands’. The Secret stuff isn’t ever on a network that’s is externally connected.
Move along, nothing to see here.
Daryl, that is not entirely true. The really top secret and R&D stuff is in fact kept highly isolated. I worked on a weapon system. While it was being developed it was in fact highly isolated, or as we called it “in the black.” When the program was approved and funded it came “out of the black.” The important details were still kept secret — core designs, software, etc. However a lot of the program was now on the regular corporate networks. There were 100’s of emails between the company and its contractors. There were tests, and component evaluations, and…. If someone could access this information, they could learn a lot about the weapon system.
The data was kept in encrypted form on isolated servers. To access it you had to be authorized. There was a strong authentication system, and auditing to track who was accessing it and when. There was heaving auditing and monitoring of email. And a lot more. Our server admin’s had security clearances and went through regular background checks.
There are security audits. The auditors don’t like answers like “I don’t know” or “someone else does that.”
Could Microsoft do this stuff and do it well? Definitely. However it is the responsibility of the primary contractor to insure the secrecy of the program. The government does not care if “someone else leaked the secrets.” The primary is responsible and will suffer the worst consequences — which could include prison.
This is serious stuff and something you must have 100% control.
Maybe you must pull the cloud from your eyes and see the ugly truth. Because stupid is as stupid does. And if they are stupid enough to use a cloud, they are stupid enough to put sensitive information on it.
“If we have to rely on lawyers for data security advice, we’re in real trouble.”. Yeah, that’s right, lets just keep relying on the people and entities we have been. That’s worked out well.
“How much were they really saving? How much were they really risking?”
Does the phrase “socialization of risk, privatization of reward” mean nothing to you?
How much were they risking? Well, “they” is senior management, and based on the evidence of the past few years, absolutely nothing important to them. After the secrets are stolen, they will still have their bonuses, heck they’ll probably still have their jobs. The cozy tribe of the 1% will make excuses for them and ensure they are just fine.
Compare, for example, the ongoing unwillingness of US banks to switch credit cards to chip&pin — identity theft doesn’t make the execs lives any more difficult, so who cares about how it affects other people.
This is your problem, Bob — you are unwilling to accept the fundamental corruption at the heart of the system. Sure, you’ll get angry when a particularly egregious example occurs, but you’re not willing to deal with the fundamental problem — allowing the richest class of society to have SO MUCH more wealth than everyone else means they also have so much more power, and they WILL use that power to benefit themselves at the expense of everyone else.
the fundamental problem — allowing the richest class of society to have SO MUCH more wealth than everyone else means they also have so much more power, and they WILL use that power to benefit themselves at the expense of everyone else.
Um, there may be a fundamental mistake here. The only way the 99% “allowed” the 1% to become so rich, is we allowed them to freely innovate the things they wanted to and then turned around and allowed them to benefit, solely, from the fruits of their labor. Then we allowed them to do what they wanted with their riches, including passing it on to their offspring or whoever they chose or whatever cause they chose.
Wow, sounds like the American Dream to me. And “not allowing” those people to freely innovate and create and benefit solely, wow that sounds a lot like Communism.
Were we just talking about an “experience gap”? I think we have another one right here.
logic flow issue there. the 1% appointed themselves big $$. No innovation there.
With only a couple exceptions (WalMart and USAA) I have yet to see an IT organization run as well as the old mainframe shops I worked at in the 70’s and 80’s. Security, change control, everything was much more professionally run.
Of course we didn’t have to worry about Internet access (or email) back then…
Them was the good old days, none of this: I got my IT degree on-line from Bull Shit University and now I’m a qualified IT professional. What a joke!
Speaking of the old mainframe days reminds me of a programmer who was part of a group managing a mainframe (IBM 360) but worked for the company using it, not IBM. He once said if he didn’t get a promotion he’d quit, but not before writing a program to upset the computer at some time in the future. (That was before the days of the “computer virus”.) Last I heard he got the promotion. Of course, that could never happen today. 🙂
> Them was the good old days, none of this: I got my IT degree on-line from Bull Shit University and now I’m a qualified IT professional. What a joke!
I detect a contradiction here. If you cannot seriously earn a degree through online interaction, then what can you seriously do online? Which implies, the entire internet is a joke including the very IT profession itself.
There’s an old principle that goes like this: the efficacy of an argument does not lie with the person presenting it (or in other words, who or what is saying the words has no effect on the fundamental truth of the words).
So I would ask, if you learn all the material and pass all the exams and do all the projects, then does it matter where or how you earned the degree? Which is why, to people like me, there is no such thing as a “good” or “bad” school. That is, if you are judging schools that all deliver a certain minimum base curriculum, then they must all be equal in terms of that given minimum. If, however, you are judging a school by the type of connections you might make with your classmates then yes, certainly, there are good and bad.
Your medical records are already in the cloud.
My medical practice, along with every other doctor I know, are scrambling to get “stimulus” money for adopting “meaningful use” of an electronic health record and ePrescribing. Every vendor pushes their cloud system as the most reliable backup system. I am sure it has nothing to do with the eternal revenue stream (for them) associated with this service.
When we try to switch to another vendor, we’ll find out who owns the data.
Just thought you’d like to know.
Don’t blame the IT professionals. Management who see IT as purely a cost to the business want to outsource everything. If someone in IT tries to point out the flaws, management decide that they are just trying to protect their own jobs.
> begs the question
I thought you were educated before this bit of ignorance spread around. In English, that used to refer to “petitio principii”: http://en.wikipedia.org/wiki/Begging_the_question
I found it interesting that the wiki also included this:
“Modern usage
Many English speakers use ‘begs the question’ to mean ‘raises the question’… ”
Although it doesn’t say it’s correct, I have noticed that language evolves through usage, so someday we may just conclude he’s using the alternate meaning.
[…] I, Cringely » Blog Archive » Cloudy judgement at BAE Systems […]
I believe that one of the reasons is to avoid their individuals being searched every time they enter the US on business.
Apparently what’s happening is that BAE employees are being targetted every time then enter the US from the UK and other parts. Even though they’re there to support the US factories and increase their production (read – Jobs). The US authorities are taking their notebooks off them and copying all the data.
That way they wouldn’t have their notebook computers taken off them at the borders. It’s not as if they’d have really sensitive information on them anyway!
“why are utility control systems even accessible from the Internet?”
FYI, I’ve worked on several automated process lines that were remotely accessible without being on the internet.
I’m sure the engineering industry is rife with age discrimination.
you are the stupidest nut ever
your posts are like they are coming from someone very knowledgeble
you are just a fake
not a coder
not a technologist…but pretend to be one
Speaking as professional security analyst I have mixed feelings on the broadest level this issue. Certainly in the case of BAE they can afford to bring the IT in house and their IT Security in house. The degree of control they get by doing that is worth doing it and doing it right. Two realities, for smaller organizations its very likely to certain a tier one provider like M$ can offer better security then likely will on their own, and larger organization like BAE often don’t make the kind of investment in people it takes to do it right.
“The Cloud” is not an appropriate solution for BAE but its not automatically less secure then reasonable alternatives in many cases
I don’t know anything about how Wallmart does IT, but if I had to guess – they keep nothing in cloud.
Cloud as a “new paradigm” is about separating people from their money in yet another way. That’s it. Do you really believe that vendors are there to cut costs for everyone and in the process lose revenue? I don’t think so.
“How much were they really saving”
I don’t think saving is the point. Not being able to provide the same level of service and user experience internally as an external solution can provide is more the issue.
But of course I agree with you, they have no business going to a public cloud.
Ironically, the moment a company allows SSL connections on port 443, they are opening up a big security hole. It is child’s play to connect to an SSH server running on port 443 with PuTTY and tunnelling your (local user only) self-installed Firefox through it.
All the security guys could see (if they bothered to look) was a very long running SSL connection and its endpoints. Of course you can’t see the data going through it or where it is really coming from.
I have gotten around many a content filtering system in large banks and law enforcement agencies using this technique and nobody ever even batted an eyelid.
So are you saying that none of the “white hat” hackers are aware of this as a security issue? If they are aware and don’t say anything, then they are really “black hat” hackers. If they simply aren’t aware, well now they know and will say something about it, if there really is a credible threat.
Security people are well aware of it. I know some places tried an SSL whitelist for a while. This was soon switched off when the CEO wanted to order something on Amazon and couldn’t.
The threat is very really and easy to deploy. With a bit of inside info and social engineering you could easily get someone to run your script, which opens up and inbound tunnel giving you remote access to their computer to do as you please.
Everyone knows about it, but there isn’t anything they can do about it without shutting off SSL.
Well, there is one thing: check for suspiciously long running port 443 connections and check if they are actually pointing at a real SSL website instead of some other protocol.
“…inside info and social engineering…run your script…” Yes, it’s hard to protect people from themselves. But I’d bet if the information available via those 3 requirements, probably isn’t important enough to put up with the added security needed to prevent it.
Delete “if”.
You haven’t worked in many banks and law-enforcement agencies, have you? 🙂
The majority of the systems they use are ancient and have little or no security once you are inside the network. Heck, even the not so ancient ones have many holes in them.
It’s a treasure trove once you are in!
This is the kind of security hole that let Bradley Manning upload his stuff to Wikileaks. While I am glad he did, it does highlight a bit of a problem…
There is another angle to this story. One of the current problems in corporate IT is they have been cut back so much they can’t do their job properly. Thing are breaking. They can’t get project done on time. It is not their fault. There is too much work for too few people. The result is IT gets the blame and is seen as an obstacle.
One of the advantages of outsourcing (if you can call it an advantage) is the ability to shift the responsibility and the blame to an outside entity. If things go wrong it is no longer the internal IT or more importantly the internal IT management’s fault. Outsourcing provides deniability.
In many fields it is better to outsource some parts of IT. For example I recommend small firms and organizations outsource their email. The reason is simple — email is under constant attack from the Internet. A small firm should not have to invest in a whole head count just to keep email working. Small firms have small IT teams and those teams really need to focus their time on providing value to their employer and its business — not fighting spam. Some of email services do a very good job, have good security, and offer a good value for the money.
In the defense industry protecting intellectual property is extremely important and it is a criminal offense if you don’t. This is not something one should consider outsourcing to a provider and/or the cloud. You can’t delegate responsibility if there is a problem. You relinquish your ability to prevent problems. You must trust that your provider is doing things correctly. If they don’t you won’t know it.
If there are things in Microsoft’s cloud that were really of value to BAE, there is a better option — get Microsoft to install a “private” cloud service on BAE’s network.
If putting in a “private” cloud is a lot more expensive, then one needs to ask the important question — WHY? The reason is simple, in a public cloud everyone shares the same infrastructure — the same servers, the same disks, the same network. While there is some isolation between customers it hasn’t been fully tested, there have not been enough challenges to the security to see how well it works.
I think this issue has some interesting submerged layers that are a real unseen problem. Many are basically aware that the “Cloud” may reflect reality and vanish with your data or be hacked.
My friends in national security never like to talk about the fact that “patriots” who have government access to data of all types (Classified/Private and Otherwise) maybe sharing it with lobbyists, corporations and mobsters. Using the “patriotic powers of government” to tap into resources for their own agenda or others.
Things get easier to run but also easier to wipe out. Food supply and so on.
This is a real danger to our way of life in many dimensions!
Manning anyone?
Great article; I wish that more people thought about security and the cost of the lack-of-security.
All that IT expertise is kicked out the door (a lot of the time) because IT is being moved under the management of Financial departments. The heads have lots of swing in the business but little or no understanding of IT. As a result all decisions are best on “lowest price” instead of “best value”; including retention of expertise.
[…] Robert C. Cringley: Microsoft last week lost a potential European customer for its cloud-based Microsoft Office 365 product over concerns about the Patriot Act allowing U.S. government access to to private data. UK defense contractor BAE Systems said they’d changed plans on advice of their lawyers. Smart lawyers. […]