It turns out the hacks into various cloud-based services and cloud providers by the People’s Republic of China was far more extensive in depth and breadth than heretofore reported.
They came in through cloud service providers, where companies thought their data was safely stored. Once they got in, they could freely and anonymously hop from client to client, and defied investigators’ attempts to kick them out for years.
Cybersecurity investigators first identified aspects of the hack, called Cloud Hopper by the security researchers who first uncovered it, in 2016….
A Wall Street Journal investigation has found that the attack was much bigger than previously known. It goes far beyond the 14 unnamed companies listed in the indictment, stretching across at least a dozen cloud providers, including CGI Group Inc, one of Canada’s largest cloud companies; Tieto Oyj, a major Finnish IT services company; and International Business Machines Corp.
Disgustingly, the cloud providers spent their efforts trying to cover up the breaches rather than working effectively to contain them and eject the spies.
Investigators in and out of government said many of the major cloud companies tried to stonewall clients about what was happening inside their networks. “It was like trying to pin down quicksand,” one investigator said.
Those companies should see their customers walk away, and those companies should be boycotted—and not only of their cloud “services.” They’ve demonstrated that none of their products can be trusted because the companies themselves cannot be trusted.
The government’s response? One example:
Officials at the Department of Homeland Security grew so frustrated by resistance by the cloud companies that they are now working to revise federal contracts that would force them to comply with future probes….
This is the wrong answer. Those contracts should be canceled for cause (obstructing a criminal investigation comes to mind), and those cloud companies barred from doing business with the government. Answers to Requests for Proposals that include these companies as partners or subcontractors in the answers should be rejected, too. Some of the cloud providers became more cooperative after government—ours or overseas—pressure, but that’s not enough.
Cut them all off.
And develop offensive cyber weapons and use them against the PRC’s intelligence, military, and political establishments.