There's no question that cloud computing has changed and will continue to change how enterprises handle security, but what are the gravest threats it poses?
In this video, Jim Lewis, Director and Senior Fellow in the Technology and Public Policy Program at the Center for Strategic and International Studies, gives his thoughts on how cloud computing security issues are likely to affect information security in the coming years.
- Watch part one of this series: Cyberwarfare and secure infrastructure collaboration
- Watch part three of this series: SCADA security threats and Stuxnet analysis
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Jim Lewis on cloud computing security issues
Mike Mimoso: Hi, I'm Mike Mimoso, and Jim Lewis is with me today. How are you,
Jim? Thanks for joining us.
Jim Lewis: Great to be here.
Mike Mimoso: It's cloud computing going to exacerbate the security issues that we
have right now?
Jim Lewis: Probably not, because I don't think security will become any worse. It
would be hard for it to become worse. You know, there's a different set of
risks now. You're not responsible for safeguarding your information,
somebody else is. But I don't think the actual level of risk will change
that much. There are new risks to cloud computing and the biggest one is,
you know, you're service provider has you on a box here and another
customer on a box there, and how do you keep the data from being co-
mingled? If the other customer is subject to a search warrant, how do you
make sure they don't take your box? There's a new set of problems but
overall I don't think the level of risk will change.
Mike Mimoso: A lot of people are juxtaposing cyber espionage with cyber war,
there's obviously a difference there. Do you think it's lending to some of
the confusion that's out there around these topics?
Jim Lewis: I don't believe there's ever been a cyber war. I don't think there's
been more than one or two cyber attacks. There have been no cyber attacks
against the United States. And some people, I think go off the deep end and
say Wiki Leaks was an attack on the United States. No, come on, it was
politics by a bunch of European lefties. I mean, what else is new. Cyber
warfare is a potential risk. There's a few nations that have the
capability. There are groups that would like to acquire it.
You know, the Russians and the Chinese could launch a cyber attack against
us but they're not going to do that. When the North Koreans get the
capability, maybe we'll be a little less comfortable. Cyber espionage is
completely different and as far as I know it started almost 30 years ago.
Espionage began the day after man was created, right? And well, what can we
say, it's continued ever since and a lot of countries put a lot of emphasis
into figuring out how to exploit computer networks, not just our favorites,
there's probably 20 countries in the world that are pretty good at this.
So, cyber espionage is part of the landscape.
Mike Mimoso: Why haven't market forces worked better to bring about change in
Jim Lewis: This is really a painful point for me. Because in 1996 I was on a
White House task force to create secure public networks and I wrote a
paper, which thankfully they didn't release, that said we didn't have to
worry about this authentication stuff in cyber security because the market
would deliver it. The market would demand secure products, and companies
would supply them. So that was, what was that, 15 years ago? Still waiting.
Any minute now. Market forces are not enough, and it's painful for Americans
to admit that. We prefer to think that the market will fix things. Usually
the market does a better job. So it's not unreasonable, but it won't
deliver cyber security. Because the incentives are not there because the
issues are too complex and because some of them involve what we call public
goods, right? National security, public safety, law enforcement. We don't
rely on the market to deliver them. Anywhere else, why would we rely on
them for cyber security?