A new contract that will see Amazon hosting top-secret intelligence data for the UK’s spy agencies must be scrutinised by the government to ensure that risks over data access, privacy, sovereignty, and national security have been fully assessed, urge cybersecurity experts.
The Financial Times revealed on 25 October that AWS, Amazon’s cloud arm, has agreed to a contract with GCHQ, MI5 and MI6, which has been estimated to be worth between £500 million and £1 billion over the next decade.
At the same time, parliament’s intelligence and security committee (ISC) announced the launch of an inquiry into cloud technologies, which declined to comment on the remit of the investigation, or what prompted the need for the inquiry.
Labour shadow security minister, Conor McGinn, said it was only right that the ISC should be scrutinising the deal with the online shopping giant, given the sensitive and classified UK data being contracted to the US tech company.
“There are key issues that are causing concern, such as what security arrangements have been put in place given the deal is with a non-British company, and how such a large deal with one supplier will impact on the UK’s cyber resilience,” he said.
Neither Amazon/AWS or GCHQ have commented on the contract, but those with insider knowledge of the deal have confirmed that all of the data from the UK’s spy agencies will be held in Britain, and Amazon would not have any access to the information being held in the cloud.
According to the head of cyber research at the Royal United Services Institute, James Sullivan, there is a legitimate question over whether personal data would be used differently as a result of new search and AI features on the new cloud platform.
“If storing data in the cloud enables intelligence agencies to use data for intelligence purposes at scale, how does that impact the privacy of the citizen? How will they manage that growing capability, and will the oversight mechanisms account for that change in scale?” he asked.
Sullivan is one of many experts urging MPs to look at the deal and assess the risk management mechanisms in place in the event of a data breach at Amazon or AWS or change of ownership, which would change the suitability of the tech giant as a commercial partner.
He said that assessing reliable and trusted partners should be a continuous process, even though Amazon is based in a partner country that is also an intelligence ally.
Advocates of the deal insist that Amazon has already achieved a proven track record in supplying cloud services to US spy agencies, all of which work closely with UK counterparts as part of the Five Eyes intelligence-sharing initiative.
Sir David Omand, former director of GCHQ, said he considered the security risks of using a US provider to be ‘manageable’.
“If anything, a cloud solution should be more secure than the arrangements we have today,” he said. “Because if you’re trying to share information on legacy systems at great speed as threats change or new urgent missions arise, there’s always a risk you’ll expose yourselves to security problems you don’t even know about.”
If you’re looking for IT support and services in Doncaster, come and talk to us today.