On the last full day of his administration, then President Donald Trump issued an executive order (EO) “to address the use of United States Infrastructure as a Service (IaaS) products by foreign malicious cyber actors.” This EO follows an Obama Administration EO that set up a formal structure to sanction foreign entities for “significant malicious cyber activities” and seeks to further use the emergency powers granted to the President in the 1970’s to address the threats allegedly posed by malicious actors using IaaS (such as cloud computing) to inflict significant harm on the United States (U.S.)
Given the review the Biden Administration is undertaking, particularly of so-called “midnight” regulations and directives, this EO will undoubtedly be scrutinized by the new White House and possibly modified or even withdrawn. Therefore, it is not certain this EO will be implemented. And this will be especially so for this EO considering that the operative parts of the EO require notice and comment rulemaking, which will depend on how the Biden Administration wants to proceed. And, one can be sure that Amazon, Google, Microsoft, and other cloud and IaaS providers have been and will heavily lobby the White House, the agencies charged with implementing the EO, and Congress to exert pressure from Capitol Hill.
This EO is almost certainly aimed at nation-state hackers, groups affiliated by nation-states, non-criminal hackers, and criminal hackers. The U.S. government is implicitly asserting that these malicious actors are using the relative anonymity and infrastructure currently available through IaaS. The EO requires that IaaS providers keep more complete records on all foreign users, which will undoubtedly be portrayed as an onerous requirements by industry stakeholders, and condition or even prohibit service to certain countries or people if the U.S. determines the risk of malicious activity is too high.
An executive order, if implemented as planned, would require cloud and other IaaS providers to collect more information on foreign users and possibly limit or shut down service for potential malicious cyber-enabled actors.
Executive Order 13984 “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities” lays out the policy rationale for its issuance:
IaaS products provide persons the ability to run software and store data on servers offered for rent or lease without responsibility for the maintenance and operating costs of those servers. Foreign malicious cyber actors aim to harm the United States economy through the theft of intellectual property and sensitive data and to threaten national security by targeting United States critical infrastructure for malicious cyber-enabled activities. Foreign actors use United States IaaS products for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for United States officials to track and obtain information through legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities; foreign resellers of United States IaaS products make it easier for foreign actors to access these products and evade detection.
The EO defines “Infrastructure as a Service Product”
any product or service offered to a consumer, including complimentary or “trial” offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of “managed” products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and “unmanaged” products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of “virtualized” products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (e.g., “virtual private servers”), and “dedicated” products or services in which the total computing resources of a physical machine are provided to a single person (e.g., “bare-metal” servers);
And so, the EO requires the Department of Commerce (Commerce) to “propose for notice and comment regulations that require United States IaaS providers to verify the identity of a foreign person that obtains an Account.” The EO suggests the criteria and metrics Commerce should consider using but largely leaves this determination to the agency. And, in the list of considerations, the first leverage point is found that industry will likely use: the discretionary authority Commerce will have to exempt certain U.S. IaaS which may include a finding that the IaaS “complies with security best practices to otherwise deter abuse of IaaS products.” Commerce will also need to propose regulations through a notice and comment rulemaking that requires U.S. IaaS providers to take “special measures” if Commerce determines that reasonable grounds exist to conclude a foreign jurisdiction has either a significant number of resellers or people offering U.S. IaaS for “malicious cyber-enabled activities” or a significant number of people are, in fact, using IaaS for these activities. Commerce may do the same if a foreign person, group of people, or entity are offering or using IaaS for malicious cyber-enabled activities. Another leverage point for U.S. IaaS and other stakeholders appears in this section because Commerce must consider:
(i) whether the imposition of any special measure would create a significant competitive disadvantage, including any undue cost or burden associated with compliance, for United States IaaS providers;
(ii) the extent to which the imposition of any special measure or the timing of the special measure would have a significant adverse effect on legitimate business activities involving the particular foreign jurisdiction or foreign person; and
(iii) the effect of any special measure on United States national security, law enforcement investigations, or foreign policy.
Commerce’s “special measures” consist of prohibiting or conditioning the use of U.S. IaaS. What these may look like may be spelled out in the draft regulations Commerce is required to undertake.
The Departments of Justice (DOJ) and Homeland Security (DHS) must study how to increase information sharing among IaaS providers, other stakeholders, and U.S. agencies with the aim of decreasing malicious cyber-enabled activities. Thereafter, DOJ and DHS would submit a report to the President identifying gaps in authority including protection from legal liability, statutes and regulations that could foster greater sharing of information, and the current landscape of threats posed by the sue of IaaS for malicious cyber-enabled activities.
Commerce also needs to work with some U.S. agencies to identify “funding requirements to support the efforts described in this order and incorporate such requirements into its annual budget submissions to the Office of Management and Budget” (OMB). In other words, agencies will need to fashion their budget requests to OMB to prioritize resources for the execution of this EO, which is not to say this will become their top policy priority. But, depending on the buy-in from OMB, this White House office could exert pressure on agencies to follow through in setting aside funds and executing this EO.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.