A POTUS should make an executive order instructing all U.S. agencies to move all government cyber operations and data off of private companies cloud systems, establish and protect their own.
No,that makes too much sense.
As long as one is using the Internet, stolen credentials will ALWAYS be an issue, no matter who manages security.
The issue is packets going through routers and connections between third parties that cannot be managed by first parties.
There are no systems using TCPIP on the internet that doesn’t use credentials (user-name, password, and alternate measures-phone, text, call, secret questions, whatever). While these systems are better than just username/password, they can be spoofed.
https://www.computer.org/publications/tech-news/trends/what-is-modern-authentication
Cloud-based systems are better for security—they have more, not less protection, 24/7 HUMAN monitoring of systems and expert groups of thousands that can mitigate and stop attacks.
Having been in the military for 22 years doing cyber security and communications system (Univac, PDP/Vax Ultrix, TCPIP) worked on DDN, then MilNet, and Internet I can tell you there are very few at the working DOD level who do better security—unless the systems are unplugged. I then spent the next 26 years as an MCT and CompTIA instructor.
The problem with unplugged (meaning non-routed communications cut off from Internet TCPIP processing) is the need so many have—even government—to connect to third party customers, clients, data sources and even the public citizen.
The government has separately routed systems that use TCPIP but are not connected to the public Internet for classified communications/processing. But I have seen people put a SIPRNet connection on a server plugged in to the public network. Only a government worker (or contractor at a gov facility) can do this level of FUBAR.