On Tuesday, during his last full day as US President, Donald Trump issued an executive order seeking to curtail cyber attacks by directing the government to come up with rules requiring cloud service providers to better identify foreign customers.
It now falls to the incoming Biden administration to implement the order, which may end up simply being ignored, given the recent flood of executive orders.
The “executive order on Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities” calls for the US Secretary of Commerce to propose rules to “require United States IaaS providers to verify the identity of a foreign person that obtains an Account.”
In a letter to Congressional leaders, Trump explains that foreign actors use US cloud service providers to carry out malicious cyber activities and that America must be able to obtain more extensive information from service providers about foreign individuals using their computing infrastructure.
“Foreign actors use United States IaaS products for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for United States officials to track and obtain information through legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities; foreign resellers of United States IaaS products make it easier for foreign actors to access these products and evade detection,” Trump’s letter says.
In addition to soliciting rules for customer identification and record keeping, the order calls for setting up ways to limit certain foreign actors’ access to US cloud services and to promote greater cyber threat data sharing among service providers.
The order gives the Secretary of Commerce 180 days to propose such rules and offer them for comment. It also calls for a report from the Attorney General and the Secretary of Homeland Security about how to encourage cloud providers to share threat information more readily.
We can imagine the cloud giants’ view on the logistics of having to verify the identity of every non-American customer who clicks the sign-up button to spin up an off-prem virtual machine.
Looking long term
Trump’s order was not published in the Federal Register, but that doesn’t mean it’s automatically invalid.
T. Greg Doucette, an attorney based in Durham, North Carolina, told The Register that normally, failure to publish an executive order would create due process problems if the government attempted to enforce the order without adequate public notice.
But in this instance, the order wasn’t published because it simply calls for rule making from federal officials.
“It’s not published because it falls within the exception, only directing the assorted Secretaries to prepare regulations for notice and comment,” said Doucette. “Those proposed regulations will matter, and after the required notice and comment period under the Administrative Procedure Act, final regulations would have the force of law and be published in the Federal Register.
“But this is just typical Trump bluster that doesn’t really do anything. All of this presupposes Biden’s Secretaries follow through, as opposed to just ignoring it.”
A former cyber official from the Obama administration who spoke to The Register agreed that it will be up to the Biden administration to decide whether anything comes of this executive order. Incoming cyber officials may decide there are some good ideas in terms of the “know-your-customer” obligations, our source said.
However, the devil is in the details, our source opined. Any rules will need to balance benefits with compliance costs that might make US cloud providers less competitive or add to the existing skepticism that foreign entities have about the privacy of their data at US companies.
When we asked Amazon, Google, and Microsoft to offer their thoughts on the executive order. None of the companies responded.