The Defense Department said the companies that received contracts to support the agency's Joint Warfighting Cloud Capability (JWCC) in December of last year are "receptive" to red teaming and providing more visibility into the service provider side, not just the customer side.
"We have some work to do probably on the visibility of the service provider side of the equation. We've had some incidents recently that have shown that we probably need to shore some visibility issues where maybe we do some outside in looks at the clouds that they built for us," Dave McKeown, acting principal deputy CIO at DOD, said at AFCEA's TechNet Cyber conference in Baltimore, Maryland.
Earlier this year, CIOs from each military service traveled to the West Coast to tour all four cloud service providers that were awarded the JWCC contract.
"I have taken all of my CIOs in the department on field trips to each one of the cloud service providers … where we can ask the tough questions about their architectures and their technologies and how they're securing specific aspects of their applications," McKeown said. "We know we are in a partnership with them. We have to both be successful cybersecurity-wise in order for us to continue to succeed together."
Around the time of the trip, it was reported that the DOD secured an exposed server hosted on Microsoft's Azure government cloud that was spilling internal military emails publicly after a misconfiguration left the server without a password and allowed access to sensitive government information, a lot of which was related to U.S. Special Operations Command.
McKeown said it's important to continue developing a close partnership with the cloud service providers and emphasize that the department wants to work with them, not "scare them off" or "bring the lawyers in." He added that the department is adopting the industry's best practices and products into its environment, something they would not be able to do on their own — all the while satisfying customer demand.
"Let them believe that they're part of the team because they are and work together on securing these environments," McKeown said. "I see every time there's an incident. There's a lot of disparaging comments about putting all of our eggs in a cloud service providers' basket. … I'll tell you what, I've witnessed when we are in charge of building things and securing them and defending them, we haven't historically done that great of a job either."
Meanwhile, the National Security Agency (NSA) is launching a series of attacks on the zero-trust security systems of the four cloud service providers to determine whether the companies implement zero trust correctly and are able to withstand attacks from the NSA red-team hackers.
These tests are not required for the JWCC contract, but are conducted as an independent experiment.