3rd Party Risk Management , Cloud Security , Critical Infrastructure Security
US Commerce Officials Seek Comment on IaaS Executive Order
Trump-Era Mandate Calls for Verifying IDs of Foreign IaaS Account HoldersThe U.S. Department of Commerce is soliciting public input on a Trump administration cybersecurity executive order that requires cloud providers to verify the identities of certain users. The goal of the executive order is to root out malicious cyber actors operating abroad and leveraging U.S. technologies, officials say.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
Executive Order 13984 was signed at the eleventh hour - on Jan. 19 - by outgoing President Donald Trump, along with other mandates focused on national security. While incumbent President Joe Biden has reversed several Trump-era actions, the administration is seeking comment on Executive Order 13984 to shape regulatory policies around infrastructure-as-a-service, known as IaaS, or cloud-hosted infrastructure which allows enterprises to run software and store data on servers without being responsible for their maintenance and operating costs.
The order also outlines the role of resellers of cloud services and follows several high-profile cyber incidents over the past 12 months. They include the SolarWinds attack, suspected to have been committed by a group backed by the Russian government, in which about 100 organizations globally - and several U.S. government agencies - were breached. In part, cybercriminals launched a supply chain attack on Microsoft cloud services (see: SolarWinds Attack Spurring Additional Federal Investigations).
Ongoing Cyber Efforts
Comments for the proposed rule-making are due within 30 days of its Sept. 24 publication in the Federal Register. It's part of the Biden administration's effort to secure federal networks, and in particular, the software supply chain.
In May, Biden issued an executive order on cybersecurity that mandates executive branch agencies to deploy multifactor authentication, endpoint detection and response, and encryption. It also calls for the adoption of "zero trust" architectures and more secure cloud services. The goal, administration officials said, is to modernize the government's IT infrastructure while creating standards to minimize the damage caused by cyberattacks (see: Biden's Cybersecurity Executive Order: 4 Key Takeaways).
"In EO 13984, the president determined that additional steps must be taken to address the national emergency related to significant malicious cyber-enabled activities," the notice states; it is penned by Trisha B. Anderson, deputy assistant secretary, intelligence and security, at the Department of Commerce. "The [order] addresses the threat posed by the use of U.S. cloud infrastructure by foreign malicious cyber actors to conduct malicious cyber-enabled activities, including theft of sensitive data and intellectual property and targeting of U.S. critical infrastructure."
Through the executive action, officials must ensure that providers offering U.S. IaaS products verify the identity of those obtaining IaaS accounts and maintain records of those transactions, to potentially avoid supply chain attacks against U.S. interests.
More robust record-keeping practices and user identification and verification standards will better assist investigative efforts, officials add. Similarly, under the mandate, the secretary of commerce may choose to exempt U.S. IaaS providers demonstrating security compliance. Proposed regulations may also enable providers to institute "special measures," such as prohibition or specific conditions against foreign jurisdictions or individuals shown to be engaged in harmful cyber activity.
Public Questions
Among other specific fields, the Department of Commerce seeks input on the following:
- Ways to implement these requirements;
- Ways the records requests differ from data already stored by IaaS providers;
- Whether providers have the "capacity or capability to augment technical identity verification (e.g., 2FA) with additional, non-technical vetting (third-party person/entity vouching)";
- Types of analyses currently used to detect terms-of-service violations;
- Ways to limit the potential burden on IaaS providers in implementing the order;
- How the European Union General Data Protection Regulation, or GDPR; the California Consumer Privacy Act, or CCPA; or other data protection and security regulations affect providers’ ability to fulfill record-keeping requirements;
- Best practices for compliance and enforcement;
- Guidelines for exemptions for compliant providers;
- The approach for imposing conditions on problematic accounts or jurisdictions;
- Whether there are existing fraud prevention regimens that would enable consistent discovery of fake names, government documents and other identification records used to create IaaS accounts.
Delay in Rollout
In a letter to Congress regarding the executive order on Jan. 19, then-President Trump said, "Foreign actors use [IaaS] for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for U.S. officials to track and obtain information through legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities."
On Jan. 20, new White House chief of staff Ron Klain issued a memorandum instructing agencies to freeze or delay implementation of regulatory actions that were pending under the Trump administration. It signified a likely delay in the rollout of Executive Order 13984.
'A Significant Impact?'
According to attorneys at the firm Baker McKenzie, the initial executive order "raises important concerns with respect to implementing safeguards to reduce the use of IaaS products and services in the U.S. by malicious foreign actors."
In a blog post, they continue: "The standards that will be addressed in the proposed regulations may have a significant impact on many businesses operating in the U.S., given the broad definition of IaaS products."
The attorneys note, "[As written] EO 13984 does not [however] address any of the concerns that might be raised with respect to what measures can be implemented to respect individual privacy rights, nor does it address what measures can be taken to minimize the potential additional liability of requiring companies to store and maintain certain categories of sensitive personal data."
In its latest notice and request for comment, the Department of Commerce appears to be addressing these privacy and/or jurisdictional concerns.
This story has been updated to correctly indicate the number of organizations impacted by the SolarWinds incident.