To Protect U.S. Cloud Computing, Follow the UK’s Example

Modern life operates in the cloud. Banking, business transactions, and even government intelligence relies on cloud computing. Cybersecurity and technical failures by cloud computing companies therefore pose significant economic and national security risks. An outage of global cloud and cybersecurity firm Cloudflare on November 18, for example, knocked X, ChatGPT, and tens of thousands of websites offline. An October outage of Amazon Web Services (AWS) had an impact on nearly 70,000 organizations.

The British government is taking steps to address the cybersecurity of essential services like cloud computing. Its new cybersecurity and resilience bill provides a possible model for Washington, which has, to date, failed to recognize that cloud computing is critical infrastructure.

Cybersecurity Bill To Enhance British Critical Infrastructure Defenses

Introduced in Parliament on November 12, the United Kingdom’s new Cyber Security and Resilience Bill (CSRB) will reform the existing network and information systems regulations by expanding the scope of what counts as an essential service. Previously, the regulations defined critical infrastructure (or “essential services” as they are known in the UK) as energy, transport, health, water, and certain digital infrastructure, including cloud computing. The new bill expands the definition to encompass components of multiple systems that the public relies on, including data centers and managed IT service providers.

CSRB also shortens the mandatory reporting timeline for cyber incidents — requiring notification of breaches with the potential to cause significant harm within 24 hours and a more comprehensive report within 72 hours. The bill “factsheet” notes that there will be a phased implementation plan, requiring follow-up legislation on more technical topics requiring in-depth consultations.

Cloud and Digital Services Need Stronger Protections

The ubiquity of cloud service providers creates an ideal target for malicious actors. Cybercriminals intent on disrupting business operations can focus on one target but impact thousands internationally.

China has already done this, breaching Microsoft to penetrate U.S. government systems in the summer of 2023. Along with AWS and Google Cloud Platform, Microsoft’s Azure controls 63 percent of global cloud infrastructure. A report on the breach by a joint government-private sector review board noted that “cloud computing has become an indispensable resource to this nation, and indeed, much of the world.”

Washington Should Also Prioritize Cloud Infrastructure

The U.S. government should follow the UK’s example of recognizing the importance of cloud computing systems and digital services in maintaining critical infrastructure and economic continuity. While Washington has designated the information technology (IT) sector as critical infrastructure, it has not updated the definition of that sector or of critical infrastructure more broadly since 2013.

The White House should specifically call out the cloud as an enabler of critical systems, acknowledging that it therefore meets the definition of critical infrastructure. This designation will allow greater allocation of government resources to support the industry’s risk management efforts and facilitate better communication between the federal government and private companies around incidents in cloud services — ultimately creating a more resilient national cybersecurity ecosystem.

Emmerson Overell is a project coordinator at the Foundation for Defense of Democracies (FDD) for the Center on Cyber and Technology Innovation (CCTI), where Sophie McDowall is a research associate. For more analysis from the authors and FDD, subscribe HERE. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.