An obscure Defense Department IT certification has become the latest flash point in a long-running fight over which West Coast tech company is best suited to safeguard America’s national security secrets.
In late October the Pentagon jilted Amazon when it turned to Microsoft for a centralized cloud computing network called the Joint Enterprise Defense Infrastructure, or JEDI for short. Analysts had widely assumed the contract would go to Amazon Web Services, the commercial market leader, in large part because an earlier CIA contract gave it years of experience handling sensitive government data.
But on December 12 Microsoft became the second company to hold the Pentagon’s highest-level IT security certification, called Impact Level 6, Defense Information Systems Agency spokesman Russ Goemaere told The Washington Post in an email. The temporary certification lasts three months, after which a longer one will be considered, Goemaere said. The news of Microsoft’s certification was reported earlier by the Washington Business Journal.
The certification means that, for the first time, Microsoft will be able to store classified data in the cloud. Defense and intelligence agencies typically use air-gapped, local computer networks to store sensitive data rather than the cloud-based systems that most companies now use to harness far-off data centers. Previously, Amazon was the only cloud provider trusted with secret data.
The IT certification could help justify Microsoft’s surprise JEDI win, which has become the subject of a high-stakes, politically charged lawsuit over allegations that President Trump meddled in the government procurement process to steer public funds away from Amazon.
Before the award to Microsoft, Trump directed Defense Secretary Mark Esper to review the Pentagon’s approach to JEDI. Trump said on television that he had received “tremendous complaints” from companies that compete with Amazon, and privately expressed concerns that the contract would go to Amazon. Trump has long derided Amazon founder Jeff Bezos, who separately owns The Post.
The matter is being litigated in the Court of Federal Claims, which handles disputes over federal contracts.
In its legal complaint, Amazon leaned heavily on its CIA experience to justify the idea that Microsoft could not possibly have bested it in a fair fight, although much of the information was redacted. Spokesmen for Microsoft and Amazon declined to comment for this story.
In the complaint, Amazon Web Services criticized the Pentagon for failing to recognize its alleged technical superiority. And it said Microsoft’s product is inferior, arguing that certain cyber-vulnerabilities disclosed in a government database raise questions about its fitness for the contract. Specifically, Amazon’s lawyers pointed to a type of cyber attack called a “hypervisor breakout attack,” in which a hacker can hijack the system that manages the seams between different customers using the same server.
“A successful hypervisor breakout attack would be devastating to customers, like DOD, who need absolute security on their cloud platform,” the company’s lawyers wrote in the complaint, adding that Amazon’s product “is the first and only cloud architecture available to DOD that is capable of effectively preventing such attacks.”
The company’s chief technology officer, Werner Vogels, touted AWS’s security advantages at a recent conference hosted by Amazon.
“Everything is encrypted by default,” Vogels said. “In that way, we’ve actually improved security significantly.”
Both companies appear to have their share of security issues. A database managed by the National Institute for Standards in Technology includes dozens of vulnerabilities involving Microsoft’s hypervisor, known as Hyper-V, as well as quite a few that involved Amazon’s, which is called Nitro. Cloud security experts contacted by The Post could not point to a known instance in which such an attack actually played a role in a major data breach, however.
Andras Cser, a cloud security analyst with Forrester, said AWS’s hypervisor “seems more security focused,” but added that customers generally do not see the hypervisor breakout issue as much of a threat.
By comparison, numerous instances have occurred in which a person using the system accidentally left sensitive data online in a cloud-based system.
In a 2017 incident, a Booz Allen Hamilton contractor working for the National Geospatial-Intelligence Agency inadvertently left sensitive government passwords online in an unprotected AWS system. In a similar but unrelated incident, a contractor working for the Republican National Committee left detailed information on nearly every U.S. voter online, also in an AWS system.
Both disclosures were discovered by a security researcher who had been searching random AWS web addresses to see which of them contained sensitive data. It is unclear whether such a disclosure would be possible with AWS’s government-focused clouds, which rely on designated collections of data centers called the company’s “secret region.”
In a more recent incident involving AWS, a data breach exposed more than 100 million applications for Capital One credit cards. A 33-year-old former Amazon employee was arrested in connection with the breach, prompting several lawmakers to call for a deeper inquiry. Spokespersons for Capital One and Amazon said at the time that the vulnerability was not cloud-specific.