Obscure certification key in classified data storage battle
WASHINGTON — An obscure Defense Department IT certification has become the latest flashpoint in a long-running fight over which West Coast tech company is best suited to safeguard America’s national security secrets.
In late October the Pentagon jilted Amazon when it turned to Microsoft for a centralized cloud computing network called the Joint Enterprise Defense Infrastructure (JEDI). Analysts had widely assumed the contract would go to Amazon Web Services, the commercial market leader, in large part because an earlier CIA contract gave it years of experience handling sensitive government data.
But on Dec. 12 Microsoft became the second company to hold the Pentagon’s highest-level IT security certification, called Impact Level 6, Defense Information Systems Agency spokesman Russ Goemaere told The Washington Post in an email. The temporary certification lasts three months, after which a longer one will be considered, Goemaere said.
The certification means that, for the first time, Microsoft will be able to store classified data in the cloud. Defense and intelligence agencies typically use air-gapped, local computer networks to store sensitive data rather than the cloudbased systems most companies use to harness far-off data centers. Previously, Amazon was the only cloud provider trusted with secret data.
The IT certification could help justify Microsoft’s surprise JEDI win, which has become the subject of a high-stakes, politically charged lawsuit over allegations that President Donald Trump meddled in the government procurement process to steer public funds from Amazon.
Before the award to Microsoft, Trump directed Defense Secretary Mark Esper to review the Pentagon’s approach to JEDI. Trump said on television that he had received “tremendous complaints” from companies that compete with Amazon, and privately expressed concerns that the contract would go to Amazon. Trump has long derided Amazon founder Jeff Bezos.
The matter is being litigated in the Court of Federal Claims, which handles disputes over federal contracts.
In its legal complaint, Amazon leaned heavily on its CIA experience to justify the idea that Microsoft could not possibly have bested it in a fair fight, although much of the information was redacted. Spokesmen for Microsoft and Amazon declined to comment for this story.
In the complaint, Amazon Web Services criticized the Pentagon for failing to recognize its alleged technical superiority. And it said Microsoft’s product is inferior, arguing that certain cyber-vulnerabilities disclosed in a government database raise questions about its fitness for the contract.
Amazon’s lawyers pointed to a type of cyber attack called a “hypervisor breakout attack,” in which a hacker can hijack the system that manages the seams between different customers using the same server.
“A successful hypervisor breakout attack would be devastating to customers, like DOD, who need absolute security on their cloud platform,” the company’s lawyers wrote in the complaint.
The company’s chief technology officer, Werner Vogels, touted AWS’ security advantages at a recent conference hosted by Amazon.
“Everything is encrypted by default,” Vogels said. “In that way, we’ve actually improved security significantly.”
Both companies appear to have security issues. A database managed by the National Institute for Standards and Technology includes dozens of vulnerabilities involving Microsoft’s hypervisor, as well as quite a few that involved Amazon’s Nitro.
Andras Cser, a cloud security analyst with Forrester, said AWS’ hypervisor “seems more security focused,” but added customers generally do not see issue as much of a threat.