Chinese hackers spying on American cloud

With the National Security Agency spying on pretty much everyone inside and out of this country, we can't be too surprised, or offended, to find out that other countries are spying on us.

Besides, the cloud is such a tempting target.

According to the U.S.-China Economic and Security Review Commission's annual report to Congress, "strong evidence has emerged that the Chinese government is directing and executing a large-scale cyber espionage campaign against the United States."

The 465-page report goes on to explain that these practices "may present cybersecurity risks for U.S. users and providers of cloud computing services." China's willingness to combine commerce with spying "represents a potential espionage threat to foreign companies that might use cloud computing services…the Chinese government one day may be able to access data centers outside China through Chinese data centers."

The report also explains that "China’s Ministry of State Security (MSS), the country’s main foreign intelligence collection agency, is closely connected with the Chongqing Special Cloud Computing Zone." This relationship "represents a potential espionage threat to foreign companies that might use cloud computing services provided from the zone or base operations there."

Yet according to a Bloomberg article by Chris Strohm, "The report fails to cite any examples of the Chinese government using [cloud] technology in attacks."

The government is more concerned with protecting its own data than protecting corporations'. “Our focus has been on making sure that Defense Department or State Department data, or other government information, is secure,” commission chairman William Reinsch explained to reporters. “To the extent those entities use the cloud as well, we think that they need to get a better grip on who’s actually providing their services and where their data is going.”

One company that may have a lot to worry about is Microsoft, which has licensed a Chinese company, 21Vianet, to provide cloud services in China. According to the report, "Microsoft currently plans to link 21Vianet’s data centers in China to Microsoft’s data centers in other parts of Asia, Europe, and North America."

But Doug Hauger, Microsoft’s general manager for China commercial cloud services, asserts that 21Vianet cannot access “services and datacenters operated by Microsoft outside of China,” and that Microsoft cloud services Azure and Office 365 “include security technologies, systems and monitoring to mitigate malicious activities…If we believe malicious activity is taking place, we investigate and take the appropriate action.”

Perhaps in response to Hauger's assertion, the commission seems to be modifying its criticism of Microsoft's approach. In a new statement, quoted in the Bloomberg article, the commission states that it had “been informed of new information and will be reaching out to all involved parties to determine what impact, if any, this has on the findings.”

It's possible that Microsoft can protect itself from Chinese hacker spies. It may even be possible for the US government to the do the same. But as long as private information is stored in a public cloud, the dangers can't be ignored.

Subscribe to the Security Watch Newsletter