Amazon’s new contract to host top-secret intelligence for UK spy agencies must be scrutinised by parliament to ensure risks over data access, privacy, and sovereignty are being mitigated, cyber security experts have warned.
The deal between GCHQ, MI5 and MI6 and AWS, Amazon’s cloud arm — estimated to be worth £500m to £1bn over a decade — was revealed by the Financial Times earlier this week. Just as news of the contract became public, parliament’s intelligence and security committee announced it was embarking on an inquiry into cloud technologies.
The committee has declined to comment on the remit of its investigation or what has prompted the probe.
Conor McGinn, Labour’s shadow security minister, said it was “only right” that the ISC should scrutinise the deal, given the sensitivities involved in a US tech company being contracted to host classified UK data.
“There are key issues that are causing concern, such as what security arrangements have been put in place given the deal is with a non-British company, and how such a large deal with one supplier will impact on the UK’s cyber resilience,” he said, adding that ministers should be more transparent about their agreement with AWS.
Neither GCHQ nor AWS have commented on their contract, which was signed earlier this year. But people with knowledge of the deal confirmed that all the agencies’ data will be held in Britain, and Amazon would not have any access to information held on the cloud platform.
Joss Wright, a researcher on information controls and privacy-enhancing technologies at the Oxford Internet Institute, said his main concern would be over how Amazon would be prevented from accessing the data.
“There are all sorts of technical safeguards that could go into a system like this, but the idea that Amazon would be entirely unable to access the data . . . I wouldn’t say it was impossible, but I would want to question that very, very closely if I were on the committee,” he said.
“My direct question would be, absent any legal or administrative constraints, would Amazon be able to get access to this data if it had to? Are there technical restrictions that would stop this from happening, or are the agencies relying on trust?”
Other experts raised concerns over sovereignty and data privacy. James Sullivan, head of cyber research at the Royal United Services Institute, the think-tank, said there was a “legitimate question” over whether personal data would be used differently as a result of new search and AI capabilities made possible by the new platform.
“If storing data in the cloud enables intelligence agencies to use data for intelligence purposes at scale, how does that impact the privacy of the citizen? How will they manage that growing capability, and will the oversight mechanisms account for that change in scale?” he asked.
Sullivan also urged MPs to probe the risk-management mechanisms in place in the event of Amazon suffering a data breach or change of ownership which changed its suitability as a commercial partner.
“Assessing who is a reliable and trusted partner is a continuous process; even though the company is based in a partner country which is also an intelligence ally, it should still be subject to continuous scrutiny,” he said.
Advocates of the deal argue that Amazon already has a proven record in supplying cloud services to US spy agencies, which work closely with their British counterparts as part of the Five Eyes intelligence-sharing alliance. AWS struck its first cloud deal with the CIA, worth $600m, eight years ago.
Sir David Omand, former director of GCHQ, said he considered the security risks of using a US provider to be “manageable”.
“If anything, a cloud solution should be more secure than the arrangements we have today,” he said. “Because if you’re trying to share information on legacy systems at great speed as threats change or new urgent missions arise, there’s always a risk you’ll expose yourselves to security problems you don’t even know about.”