Amid growing concerns that Amazon improperly influenced the bidding process for a Pentagon cloud computing contract, the Department of Defense recently announced that it has agreed to review the charges. These damning allegations must be investigated to the fullest extent, and if proven true, Amazon must be held accountable with more than a slap on the wrist.
This situation is, of course, bad enough on its own. But reports that Amazon is a serious contender for this project are deeply troubling when you consider the fact that its cloud computing platform has been riddled with security breaches. Amazon Web Services (AWS) is known to be a lair for cybercriminals who have wrought havoc on AWS users.
Amazon has shown time and time again to have lax protections when it comes to data security. Uber riders, for example, may recall receiving notice that their personal information was made accessible to hackers in 2016, after more than 50 million users worldwide had their names, email addresses and phone numbers compromised. The company hosting that information? Amazon. Similarly, some 4 million Time Warner Cable customers had their personal information left susceptible with Amazon at the wheel during a 2017 hack.
It’s true that many of these cases involve companies making mistakes in configuring their AWS accounts. And Amazon has been encouraging clients to use best practices. But putting the onus on clients hardly seems like an acceptable stance from a cloud storage provider whose product is supposed to be secure. Would we accept this response if an Amazon-run Pentagon cloud was hacked by a foreign adversary—that it’s not Amazon’s responsibility ensure its systems are safe?
The reality is, if Amazon cannot stop a bunch of rogue actors meddling with its cloud platform, then it will have no chance of stopping a hostile enemy from infiltrating the Pentagon’s files. Amazon has absolutely no business building the Pentagon’s lockbox. Not if we care about national security, anyway.
As the federal government sought to transition more of its computing capabilities into the cloud, the Pentagon issued a request for proposal for the Joint Enterprise Defense Infrastructure contract, better known in defense circles as JEDI. However, the proposal also happened to be written in such a way that matched only one potential bidder: Amazon. This favorable contract design has many experts worried that the Defense Department may have fallen victim to a rigged procurement processes, and lawmakers and regulators are finally getting wise to Amazon’s inside track to our country’s most closely-held national defense secrets.
Choosing a single contractor to develop the IT infrastructure of the Pentagon, particularly one as faulty as Amazon, could also create headaches down the road. A former Defense Department acquisition official noted that the DoD could see significant issues in the coming years of trying to break away from proprietary technology if the JEDI contract is awarded to just one vendor. With so much on the line, the Pentagon must think long and hard about this decision.
Just listen to military officials, who have long advised the Defense Department to instead pursue a “multi-cloud” design that would both improve security and efficiency. Air Force Deputy Chief of Staff for Intelligence, Surveillance, and Reconnaissance Lt. General VeraLinn “Dash” Jamieson explained that a multi-cloud design would give potential hackers “a targeting problem.” A single-cloud approach would be a bullseye to potential hackers.
Put simply, lawmakers deserve credit for raising concerns about Amazon’s influence over the JEDI procurement process, but now they need to start asking the hard questions about Amazon’s security credentials. There will be no do-overs in building the Pentagon’s cloud.