Legitimate businesses may well be turning to the Cloud in increasing numbers, but so too are illegitimate business, according to the Minister for Home Affairs and Justice, Brendan O’Connor.
In a speech, given at the International Association of Privacy Professionals Annual Conference in Sydney, O’Connor said cyber criminals were increasingly exploiting the Cloud to achieve their own aims.
“Cyber criminals can not only steal data from Clouds, they can also hide data in Clouds,” he said. “Rogue Cloud service providers based in countries with lax cybercrime laws can provide confidential hosting and data storage services, which facilitates the storage and distribution of criminal data, avoiding detection by law enforcement agencies.
By way of example, O’Connor said cyber criminals could use the Cloud to secretly store and distribute child abuse material for commercial purposes.
“Cyber criminals can control servers in Clouds, denying legitimate users access to websites and targeting websites with repeated messages or images,” he said. “There have also been suggestions that Clouds can be used as launching pads for new attacks, such as trying all possible password combinations to break into encrypted data.”
According to O’Connor, the late 2009 attack on Google and several other companies was a reminder of how vulnerable systems and data were.
“The attack, which included attempts to access the emails of certain individuals, demonstrates the particular vulnerability of personal information and private communications in the online space,” he said.
In order to mitigate the risks posed by cyber security, increased transparency and confidence building between Cloud service providers, businesses and government agencies was required, O’Connor said.
For its part, the government was seeking to achieve this through Australian Federal Police’s (AFP) High Tech Crime Unit, a child exploitation tracking system developed by CrimTrac, and thought leadership from the Australian Government Information Management Office (AGIMO).
“AGIMO has consulted widely across government, and is currently investigating a number of issues, including: the vulnerability of offshore data storage; the extra-territorial legal issues around compliance and privacy; and, the contractual arrangements necessary to achieve appropriate levels of security,” O’Connor said.
“Because Cloud service providers aren’t interchangeable, the difficulties inherent in swapping providers will also need to be considered, along with the ability to retrieve information in the event of a disaster or vendor failure.”
In addition, there may also be increased security or privacy risks for governments if a Cloud had unrelated customers sharing hardware and software resources, with the concentration of resources and data in one place providing an attractive target for cyber-criminals.
“Given the benefits of Cloud computing, not just to business, but also to Government and to individuals, there is an imperative for us to work through the issues together, in order to take full advantage of everything that Cloud computing has to offer,” O’Connor said.
The comments follow similar cautions from the Australian Prudential Regulation Authority (APRA), which in mid November issued an open letter emphasising the need for proper risk and governance processes for all outsourcing and offshoring arrangements, including Cloud computing.