When news broke of the Capital One hack, a $10 billion Defense Department contract known as Joint Enterprise Defense Infrastructure, or JEDI, seemed to many all but a done deal for Amazon Web Services. The hack allegedly was perpetrated by Paige Thompson, a former Amazon employee, after she’d left the company.
Then the Department of Defense announced the JEDI contract was being put on hold for newly-confirmed Secretary of Defense Mark Esper to review it.
Trump critics immediately dismissed the move as retaliatory, claiming that President Donald Trump was lashing out at Amazon’s founder Jeff Bezos, who also owns the Washington Post, a publication the president has often called a purveyor of “fake news.”
There had been contention over the bidding process for this massive government contract. IBM protested to the Government Accountability office; Oracle sued. There were reports that Oracle vigorously lobbied the president for assistance in their fight, claiming, among other things, that a conspiracy was afoot. In the end, the Defense Department remained steadfast. The cyber needs of the world’s largest military could only be met by two companies: Amazon Web Services and Microsoft Azure.
The FBI’s arrest of Thompson for stealing the data of more than 100 million Capital One customers and applicants made Amazon Web Services headline news — and a poster child for why getting cybersecurity right matters so much. Never mind the fact that the FBI’s report said the cause of the breach may have been a “misconfiguration” on Capital One’s side: Optics matter when it comes to cyber.
Although Trump had expressed interest in reviewing the JEDI contract before Thompson’s arrest, the news would seem to have further imperiled the deal. The White House instructed its latest defense secretary, Mark Esper, to re-think the award of its cloud-computing contract to a single provider. The Capital One news was likely a catalyst. Oracle’s lobbyist probably was, too, and the news offered pretext. My favorite slogan for the upcoming general election comes to mind: Hindsight is 2020. It doesn’t matter. What matters is that root causes continue to get punted every time something like this happens.
The president has made no effort to disguise his disdain for Amazon, the Washington Post and Jeff Bezos. It doesn’t matter. The motive behind last week’s directive was likely neither pure nor high-minded. That doesn’t matter either. In the wake of the Capital One news, the White House was right to question the wisdom of making Amazon the sole JEDI provider (though one would hope that question had already been asked and answered).
As for President Trump’s role in getting this right, a goal’s a goal, even if it ricochets off the back of someone’s head. Fallibility is the only absolute when it comes to the safeguarding of digital assets. With JEDI, getting anything at all wrong could yield catastrophic results. Therefore, caution is the rule of the day. There is no such thing as too much caution on this one — the politics around that be damned.
It is possible the White House will demand the JEDI contract be divvied up between at least the two currently eligible contractors. It’s impossible to know if that’s the right thing to do. It might increase the likelihood of a successful attack on the DoD’s digital assets, and with that our nation’s ‘bombs, bullets and bytes’ defense, by expanding the attackable surface associated with it. On the other hand, the opposite could just as well be true.
Cybersecurity continues to be a quagmire because the entities where solutions are most likely to be developed have bigger fish to fry.
The risks of getting hacked simply do not pose a sufficient threat to the bottom line of most organizations to warrant anything like more perfect measures. Cyber-insurance covers most of the associated losses of breaches and compromises, which last year averaged $3.9 million per event for U.S. companies.
In the post-Edward Snowden world, one would think crimes like the one(s) allegedly committed by Paige Thompson wouldn’t still be possible — but there is no “drop-in” solution, no secret computer appliance that can stop all insider theft and-or fraud. Criminals love a good challenge, and no firewalls or intrusion detection system is smarter than a bad player with boots on the ground and determination.
Whether we’re faced with a “whistleblower” like Edward Snowden, or — perhaps — a “Thompson” incident, at issue is not failed systems. The problem is a failed culture where the procedures, stopgaps and the cautions necessary to protect any given asset escalate proportionately with the sensitivity of that asset. True, it’s impossible to predict the Snowdens and Thompsons of the world, but we should have learned by now to expect them, and then prepare accordingly.
Culture and organizational controls are key. Structural stopgaps are also important, which is why some will argue that it is better for more than one party to work on JEDI, and still others will advocate a single provider.
It is exceedingly rare these days for a hacker to punch through a firewall or decrypt a packet on its way to a bank. The current technology, when updated and implemented correctly, works pretty well.
That said, employees daily provide passwords to criminals because a likely-sounding person on the other end of a cold call told them to do that. Remote connections to a company server aren’t always shut down. Edward Snowden was provided with enough access to pull sensitive data, and, with a clever trick, he strolled into the world with a franchise or two worth of news. We’re looking for “systems” to stop human criminals from doing human criminal things. The solution has to be human as well.
While there is no such thing as a failsafe mechanism, organizational protocol or system that can protect sensitive data, we can do more. The leader of the free world has spoken, and (shockingly this time) he’s completely right.
Caution should be the watchword when it comes to JEDI — and so too with regard to our upcoming election.
NOTE: This post has been updated from the original to clarify that applicants were among the 10 million whose data was compromised in the Capital One hack.
Adam K. Levin is chairman and founder of CyberScout (formerly IDT911) and co-founder of Credit.com. He is a former director of the New Jersey Division of Consumer Affairs and is the author of Swiped: How to Protect Yourself In a World Full of Scammers, Phishers, and Identity Thieves, which debuted at #1 on the Amazon Hot New Releases List.