Online US retail giant Amazon has used its cloud operations to do a deal with the GCHQ, MI5, and MI6, The Financial Times (FT) reports. This has raised concerns over how data is being collected and used, and may even pose a potential security risk.
The deal is reported to be worth £500m to £1bn over a decade, and was signed earlier this year, but only made public in the last few weeks. MPs have expressed surprise over a US company being ask to store top secret data on the cloud by UK spy agencies. Cyber security experts have also voiced concern, and called for further scrutiny of the deal.
The FT reports that parliament’s intelligence and security committee (ISC) has announced it is commencing an inquiry into cloud technologies, but it has refused to comment further or clarify any details.
Conor McGinn, Labour’s shadow security minister, said: “There are key issues that are causing concern, such as what security arrangements have been put in place given the deal is with a non-British company, and how such a large deal with one supplier will impact on the UK’s cyber resilience.”
The Guardian followed up on the news of the Amazon deal, reporting that Priti Patel, the Home Secretary, is being put under pressure to explain what the security risks will be, and what contingency measures will be in place in the event of a major system failure. McGinn has called on Patel to make a parliamentary statement.
Neither GCHQ nor AWS, Amazon’s cloud services arm, have commented on the contract, according to the FT. However, the publication spoke to Joss Wright, a researcher at the Oxford Internet Institute, who has expertise in privacy-enhancing controls. He commented that it would be very difficult to ensure that Amazon had no access to the data.
Wright said that although various layers of safeguarding could be built into the system, it was no guarantee that the data couldn’t be accessed somehow. He questioned whether the UK spy agencies would be relying solely on trust, or whether it was possible to put some sort of technical barrier in place.
Other sources point out that US and UK agencies already work closely together, with the first AWS deal being put in place eight years ago.
A former director of GCHQ, Sir David Omand, said: “If anything, a cloud solution should be more secure than the arrangements we have today. Because if you’re trying to share information on legacy systems at great speed as threats change or new urgent missions arise, there’s always a risk you’ll expose yourselves to security problems you don’t even know about.”
However, there is still unease about the fact that the UK’s most highly classified data will be hosted by a single US company. The fact that it is a public-private partnership that was agreed in secret has raised many questions about what this means for the world’s intelligence agencies.
For internal infrastructure penetration testing, talk to us today!