President Trump on Tuesday signed an executive order aimed at stopping the foreign use of cloud computing services for cyber attacks against America.
“What we have seen in this space is that…an individual will rent thousands of pieces of this infrastructure inside the United States and resell them to actors who then abuse them,” a senior administration official told Reuters. “This provides the Secretary of Commerce the ability to say…’There is no reason for you to continue to have access to the nation’s products,’” the person added, noting the restrictions could apply to jurisdictions as well as people and companies.
Executive Order on Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities / WHITE HOUSE
By the authority vested in me as President by the Constitution and the laws of the United States of America, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (IEEPA), the National Emergencies Act (50 U.S.C. 1601 et seq.) (NEA), and section 301 of title 3, United States Code:
I, DONALD J. TRUMP, President of the United States of America, find that additional steps must be taken to deal with the national emergency related to significant malicious cyber-enabled activities declared in Executive Order 13694 of April 1, 2015 (Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities), as amended, to address the use of United States Infrastructure as a Service (IaaS) products by foreign malicious cyber actors. IaaS products provide persons the ability to run software and store data on servers offered for rent or lease without responsibility for the maintenance and operating costs of those servers.
Foreign malicious cyber actors aim to harm the United States economy through the theft of intellectual property and sensitive data and to threaten national security by targeting United States critical infrastructure for malicious cyber-enabled activities. Foreign actors use United States IaaS products for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for United States officials to track and obtain information through legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities; foreign resellers of United States IaaS products make it easier for foreign actors to access these products and evade detection.
This order provides authority to impose record-keeping obligations with respect to foreign transactions. To address these threats, to deter foreign malicious cyber actors’ use of United States IaaS products, and to assist in the investigation of transactions involving foreign malicious cyber actors, the United States must ensure that providers offering United States IaaS products verify the identity of persons obtaining an IaaS account (“Account”) for the provision of these products and maintain records of those transactions.
In appropriate circumstances, to further protect against malicious cyber-enabled activities, the United States must also limit certain foreign actors’ access to United States IaaS products. Further, the United States must encourage more robust cooperation among United States IaaS providers, including by increasing voluntary information sharing, to bolster efforts to thwart the actions of foreign malicious cyber actors.
Accordingly, I hereby order:
Section 1. Verification of Identity. Within 180 days of the date of this order, the Secretary of Commerce (Secretary) shall propose for notice and comment regulations that require United States IaaS providers to verify the identity of a foreign person that obtains an Account. These regulations shall, at a minimum:
(a) set forth the minimum standards that United States IaaS providers must adopt to verify the identity of a foreign person in connection with the opening of an Account or the maintenance of an existing Account, including:
(i) the types of documentation and procedures required to verify the identity of any foreign person acting as a lessee or sub-lessee of these products or services;
(ii) records that United States IaaS providers must securely maintain regarding a foreign person that obtains an Account, including information establishing:
(A) the identity of such foreign person and the person’s information, including name, national identification number, and address;
(B) means and source of payment (including any associated financial institution and other identifiers such as credit card number, account number, customer identifier, transaction identifiers, or virtual currency wallet or wallet address identifier);
(C) electronic mail address and telephonic contact information, used to verify a foreign person’s identity; and
(D) Internet Protocol addresses used for access or administration and the date and time of each such access or administrative action, related to ongoing verification of such foreign person’s ownership of such an Account; and
(iii) methods for limiting all third-party access to the information described in this subsection, except insofar as such access is otherwise consistent with this order and allowed under applicable law;
(b) take into consideration the type of Account maintained by United States IaaS providers, methods of opening an Account, and types of identifying information available to accomplish the objectives of identifying foreign malicious cyber actors using any such products and avoiding the imposition of an undue burden on such providers; and
(c) permit the Secretary, in accordance with such standards and procedures as the Secretary may delineate and in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, to exempt any United States IaaS provider, or any specific type of Account or lessee, from the requirements of any regulation issued pursuant to this section. Such standards and procedures may include a finding by the Secretary that a provider, Account, or lessee complies with security best practices to otherwise deter abuse of IaaS products.
Sec. 2. Special Measures for Certain Foreign Jurisdictions or Foreign Persons. (a) Within 180 days of the date of this order, the Secretary shall propose for notice and comment regulations that require United States IaaS providers to take any of the special measures described in subsection (d) of this section if the Secretary, in consultation with the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the Director of National Intelligence and, as the Secretary deems appropriate, the heads of other executive departments and agencies (agencies), finds:
(i) that reasonable grounds exist for concluding that a foreign jurisdiction has any significant number of foreign persons offering United States IaaS products that are used for malicious cyber-enabled activities or any significant number of foreign persons directly obtaining United States IaaS products for use in malicious cyber-enabled activities, in accordance with subsection (b) of this section; or
(ii) that reasonable grounds exist for concluding that a foreign person has established a pattern of conduct of offering United States IaaS products that are used for malicious cyber-enabled activities or directly obtaining United States IaaS products for use in malicious cyber-enabled activities.
(b) In making findings under subsection (a) of this section on the use of United States IaaS products in malicious cyber-enabled activities, the Secretary shall consider any information the Secretary determines to be relevant, as well as information pertaining to the following factors:
(i) Factors related to a particular foreign jurisdiction, including:
(A) evidence that foreign malicious cyber actors have obtained United States IaaS products from persons offering United States IaaS products in that foreign jurisdiction, including whether such actors obtained such IaaS products through Reseller Accounts;
(B) the extent to which that foreign jurisdiction is a source of malicious cyber-enabled activities; and
(C) Whether the United States has a mutual legal assistance treaty with that foreign jurisdiction, and the experience of United States law enforcement officials and regulatory officials in obtaining information about activities involving United States IaaS products originating in or routed through such foreign jurisdiction; and
(ii) Factors related to a particular foreign person, including:
(A) the extent to which a foreign person uses United States IaaS products to conduct, facilitate, or promote malicious cyber-enabled activities;
(B) the extent to which United States IaaS products offered by a foreign person are used to facilitate or promote malicious cyber-enabled activities;
(C) the extent to which United States IaaS products offered by a foreign person are used for legitimate business purposes in the jurisdiction; and
(D) the extent to which actions short of the imposition of special measures pursuant to subsection (d) of this section are sufficient, with respect to transactions involving the foreign person offering United States IaaS products, to guard against malicious cyber-enabled activities.
(c) In selecting which special measure or measures to take under this section, the Secretary shall consider:
(i) whether the imposition of any special measure would create a significant competitive disadvantage, including any undue cost or burden associated with compliance, for United States IaaS providers;
(ii) the extent to which the imposition of any special measure or the timing of the special measure would have a significant adverse effect on legitimate business activities involving the particular foreign jurisdiction or foreign person; and
(iii) the effect of any special measure on United States national security, law enforcement investigations, or foreign policy.
(d) The special measures referred to in subsections (a), (b), and
(c) of this section are as follows:
(i) Prohibitions or Conditions on Accounts within Certain Foreign Jurisdictions: The Secretary may prohibit or impose conditions on the opening or maintaining with any United States IaaS provider of an Account, including a Reseller Account, by any foreign person located in a foreign jurisdiction found to have any significant number of foreign persons offering United States IaaS products used for malicious cyber-enabled activities, or by any United States IaaS provider for or on behalf of a foreign person; and
(ii) Prohibitions or Conditions on Certain Foreign Persons: The Secretary may prohibit or impose conditions on the opening or maintaining in the United States of an Account, including a Reseller Account, by any United States IaaS provider for or on behalf of a foreign person, if such an Account involves any such foreign person found to be offering United States IaaS products used in malicious cyber-enabled activities or directly obtaining United States IaaS products for use in malicious cyber-enabled activities. READ MORE AT AMERICA’s FREEDOM FIGHTERS