On May 26, the UK Government published a policy paper calling for views on the development of a ‘stronger risk management framework to address risks associated with data storage and processing infrastructure’.

The number of organisations utilising cloud computing services to store data has more than doubled in recent years, with the Office for National Statistics (ONS) reporting that 53% of organisations leverage cloud platforms.

By publishing a call for views, there is no doubt that the UK Government seek to understand the impact and threats associated to this widescale change in operations.

The policy paper was published by the Department for Digital, Culture, Media & Sport and seeks to gain an understanding of the potential risks that data storage services are facing, and some of their key customers.

As such, the call for view concerns UK data storage and processing infrastructure such as data centres, cloud platforms and managed service providers (MSPs). Following the deadline, on July 24, the government are set to review feedback and publish a response.

The targeting of data centres, cloud platforms and MSPs remains a lucrative attack vector to advanced persistent threat groups (APTs) and exploitation of such avenues has appeared to gain momentum over the past year.

In December 2021, it was reported that a Russian APT threat Nobelium, who were also responsible for the SolarWinds compromise, were targeting cloud computing providers to achieve widespread exploitation and move laterally into organisations systems.

Additionally, in January, Cisco Talos reported that threat actors were leveraging public cloud service providers to spread several remote access trojans (RATs) including Nanocore, Netwire, and Async.

The call for view also falls less than a month after the the National Cyber Security Centre (NCSC), alongside other members of the Five Eyes intelligence alliance, released an advisory to MSPs and their customers to highlight a heightened risk of attacks.

The publication of this advisory, alongside the call to view for UK data storage vendors, and a recent increase in threat actors targeting cloud infrastructure, highlights how protection of these services is of national interest.

The call for views signifies an acknowledgement that the bolstering of defences is required to protect the nation and safeguard key infrastructure. As the threat landscape continuously changes, and key political events continue to influence an uptick in cyber warfare, it is a prominent time for the Government seek to understand potential threats to strengthen resilience.

For further guidance on best practice of using cloud services securely, organisations are encouraged to review the NCSC’s Cloud Security guidance.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).