Cloud providers are under attack – and sabotaged services will freeze operations

Over the next two years, cloud service providers will be systematically sabotaged by attackers aiming to disrupt critical national infrastructure (CNI) or cripple supply chains. Organisations dependent on cloud services will find their operations and supply chains undermined when key cloud services go down for extended periods of time.

Nation states that engage in a digital cold war will aim to disrupt economies and take down CNI by sabotaging cloud infrastructure through traditional physical attacks or by exploiting vulnerabilities across homogeneous technologies. Attacks on cloud providers will become more regular, resulting in significant damage to businesses which share those platforms.

Organisations with a just-in-time supply chain model will be particularly vulnerable to service outages and will struggle to know when services will be restored, as cloud providers scramble to prioritise customer recovery.

Further consolidation of the cloud services market will create a small number of distinct targets that underpin a significant number of business models, government services and critical infrastructure. A single act of sabotage will freeze operations across the globe.

What’s the justification for this threat?

According to Gartner, the cloud services market is expected to grow from $221 billion in 2019 to $303 billion by 2021. The five largest cloud providers account for 66% of the global cloud market, with further consolidation of the market expected. This will create an attractive target for attackers – from nation states aiming to disrupt CNI – to organised criminal groups seeking to steal data. These popular cloud providers will become a point of failure, posing significant risk to businesses which are operationally dependent on them or have supply chain partners with similar dependencies.

The two largest cloud providers (Amazon and Microsoft) account for nearly half of all cloud services. Microsoft, Google and Alibaba have all grown their market shares substantially, but this has not been at the expense of Amazon – it is the small-to-medium sized cloud providers who collectively have seen their market shares diminish. This has effectively consolidated the market, allowing attackers to focus on fewer, but richer targets.

The large cloud providers boast a plethora of high-profile customers, including government departments, organisations involved with CNI and a number of information security providers. If a cloud provider was to be systematically targeted via traditional DDoS, physical attacks or other means, there would be significant disruption to its services and dependent organisations. Some organisations also rely upon multiple cloud providers to underpin individual systems, but in doing so create multiple points of failure.

In order to optimise their services, cloud providers use common technologies, such as virtualisation. Vulnerabilities discovered in these homogeneous technologies will have wide-reaching impact across multiple cloud providers. Issues of this kind have been seen previously with the Spectre and Meltdown security vulnerabilities, which affected a significant number of organisations.

Several previous cloud outages have been caused by human errors or natural disasters. In February 2017 one of Amazon’s regions, US-East-1, was taken offline due to human error. This had a direct effect on IoT devices which use Amazon’s cloud services, such as the smart home app Hive. A number of high-profile websites were also taken completely offline, resulting in lost revenue. In July 2018 Google Cloud also experienced an outage, affecting users’ ability to access Snapchat and Spotify. These incidents exemplify the potential impact of cloud outages. Determined attackers are likely to develop skills and resources to deliberately compromise and exploit these cloud services over the coming years.

How can you prepare?

Organisations that are reliant on cloud providers for one or more critical system or service should prioritise preparation and planning activities to ensure future resilience.

Picture credit: "Icicles", by Eric Lumsden, used under CC BY ND 2.0 in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.