Should Cloud-Service Companies Face More Government Oversight?

"Cloud-computing services are so ubiquitous that it's hard to fathom modern life without them.

Take a photo on your phone and it is zapped to a cloud service for storage. Order shoes online, book a hotel room or stream a TV show, and the transaction likely takes place in the cloud. Moreover, thousands of companies and government agencies use cloud computing to run their core internal software and databases.

So when cloud services go down due to a technical malfunction -- or get hacked or infected by a virus -- millions of consumers and corporate customers can suffer.

Yet the companies that provide cloud services -- Amazon.com Inc., Microsoft Corp. and Alphabet Inc.'s Google are among the largest -- are lightly regulated compared with some other crucial industries, such as electric utilities, banks and airlines.

Should they face more government oversight? We put the question to three experts: Matt Schruers, president of the trade group Computer and Communications Industry Association; Adam Conner, vice president for technology policy at the left-leaning Center for American Progress; and Sanjukta Das Smith, chair of the management science and systems department at the University at Buffalo School of Management.

Here are edited excerpts of the discussion, which took place over email.

WSJ: Do cloud-computing companies need closer government scrutiny?

MR. CONNER: Cloud services touch every aspect of American life and commerce. The significant and various cybersecurity, infrastructural and environmental implications of such services clearly merit increased government oversight.

An important role for the government is to consider systemic risks and put in place tailored regulations to ensure safety and soundness of important and ubiquitous infrastructural services -- as they would for any other critical physical infrastructure.

MR. SCHRUERS: Cloud-based services are already subject to considerable regulation at the state, federal and international levels. The question isn't whether these services should be regulated, but whether they should be regulated even more than they already are. Calls for more need to demonstrate that the incremental benefit of more intervention outweighs the burden on public and private consumers of cloud services.

PROF. SMITH: Looking at this from the consumer's side, there is a related matter to consider, which is a lot more nebulous, and that is trust. Using a cloud-hosted service requires a fairly high degree of trust on the part of the consumer. Think about money matters, identity theft, etc.

It may be in the interest of business to collaborate with the government in coming up with regulations so that trust in such services doesn't become too much of an obstacle and thus affect market success.

WSJ: What are potential downsides, if any, of greater government oversight or regulation?

MR. SCHRUERS: Cybersecurity isn't a one-size-fits-all proposition. Not every consumer of a cloud-based service needs or can afford the level of resilience required by the Pentagon. Imposing that standard on every vendor for every use case would price individuals and startups out of the market for these services, and make small vendors less competitive relative to large incumbent firms.

Government fiat isn't the only way to regulate. Government procurement standards already steer what the market provides, because vendors seeking government contracts must offer that level of resiliency. And governments can always choose to condition new funding on implementing new industry consensus standards and best practices.

PROF. SMITH: If we look at the cloud-computing companies themselves, we are dealing with an oligopolistic market. These are large, powerful entities that have a lot of negotiating power, stemming from their market and economic influence. I don't think regulations are going to stifle innovation in such large firms, even if we are talking about regulations that specifically target or raise the work burden in these companies.

MR. CONNER: If we focus on cloud-based online infrastructure, as Sanjukta correctly points out, there are only a few companies in an oligopolistic market. That level of concentration also presents a tremendous vulnerability. Outages in the largest cloud-service providers over the last few years have had significant costs for businesses and consumers. It is becoming clear that these few services are a new form of critical infrastructure.

Matt pointed out that government procurement standards can help raise security standards. But commercial customers, not government entities, are where a tremendous amount of these critical services and sensitive information exist in the cloud. The last few years have shown the limits and vulnerabilities left by many of our voluntary standards in the commercial sector.

What we have now is a concentrated market that is also unregulated, seemingly leaving little downside to considering regulations for at least the largest gatekeepers in the space.

WSJ: If you favor more government oversight, what behavior or situation would it target and how?

PROF. SMITH: I would like to see more government-mandated consumer protections when the consumer suffers from inadvertent or negligent actions of companies. Think about the average consumer whose credit rating has been devastated by identity theft stemming from a cloud security breach. A credit-monitoring service is usually offered in these cases, and that is a good start.

Security breaches must be reported. And this is where the consumer-protection issue comes into play.

MR. SCHRUERS: Most states and the [EU General Data Protection Regulation] have some form of breach reporting already. One challenge is whether companies should report before they've remedied the threat, lest the report of the breach compound the injury by flagging to other adversaries the existence of an unresolved vulnerability.

Similar challenges confront mandates around disclosing what security software and systems a company deploys: Is this helping consumers make informed decisions, or just arming adversaries?

At the same time, we want companies providing the information that governments and customers need to make reasonably informed decisions. Certifications play a valuable role here.

WSJ: If not by regulation or increased government oversight, how could one ensure that cloud suppliers don't increasingly become victims of cyberattacks?

PROF. SMITH: I'm not sure if regulations are the best engine -- regulations are great for working with known and well-understood threats. Not so much with emerging threats.

I think the best bet would be for the industry to partner closely with academia and the military in supporting joint research programs, perhaps starting with doctoral programs in computer science, information technology and information systems. This is an area where such collaborations make sense because national-security interests are at play.

MR. SCHRUERS: Another step policy makers can take is to not impede the private sector from making their services safer. Encryption is a critical means of preventing and deterring network-based attacks. Unfortunately, some law-enforcement constituencies demand that digital services put their encryption keys under the doormat -- as if adversaries don't know to look under the doormat too.

Additionally, half of prevention is deterrence. The private sector can take actions toward risk management and mitigation, but only the government can achieve global deterrence.

MR. CONNER: I think both government and private actors have a responsibility to protect Americans from cyberattacks. I believe we need oversight and regulation. But we also need businesses to invest sufficiently to protect against attacks. I've worked in several Silicon Valley startups, and very rarely do internal calls for more security win out of over those pushing for faster innovation, sometimes with disastrous consequences." [1]

1. Workplace Technology (A Special Report) --- Should Cloud-Service Companies Face More Government Oversight? Individual consumers and companies depend on these cloud-computing-service providers. But they are lightly regulated compared with other crucial industries
Ziegler, Bart. Wall Street Journal, Eastern edition; New York, N.Y. [New York, N.Y]. 09 Mar 2022: R.8.