The US Department of Commerce is currently requesting public input on a previous administration cybersecurity executive order that requires cloud providers to verify the identities of certain users. The goal of the executive order is to identify malicious cyber actors operating abroad and leveraging US technologies.
Executive Order (EO) 13984 was signed on 19 January 2021 by President Trump, along with other mandates focused on national security. While incumbent President Joe Biden has reversed several Trump-era actions, the administration is seeking comment on Executive Order 13984 to shape regulatory policies around Infrastructure-as-a-Service, known as IaaS. Infrastructure as a service are online services that provide high-level APIs used to dereference various low-level details of underlying network infrastructure like physical computing resources, location, data partitioning, scaling, security, and backup. These are cloud-hosted infrastructure which allows enterprises to run software and store data on servers without being responsible for their maintenance and operating costs. The order also outlines the role of resellers of cloud services and follows several high-profile cyber incidents over the past 12 months. They include the SolarWinds attack, suspected to have been committed by a group backed by the Russian government, in which about 100 organizations globally and several US government agencies that were breached. In part, cyber-criminals launched a supply chain attack on Microsoft cloud services.
Comments for the proposed rule-making are due within 30 days of its 24 September 2021 publication in the Federal Register. It is part of the Biden administration's effort to secure federal networks and software driven supply chains.
In May 2021, Biden issued an EO on cybersecurity that mandates executive branch agencies to deploy multifactor authentication, endpoint detection and response, and encryption. It also calls for the adoption of "zero trust" architectures and more secure cloud services. The goal, administration officials said, is to modernize the government's IT infrastructure while creating standards to minimize the damage caused by cyberattacks.
"In EO 13984, the president determined that additional steps must be taken to address the national emergency related to significant malicious cyber-enabled activities," the notice states; it is authored by a deputy assistant secretary of intelligence and security, at the US Department of Commerce. "The [order] addresses the threat posed by the use of US cloud infrastructure by foreign malicious cyber actors to conduct malicious cyber-enabled activities, including theft of sensitive data and intellectual property and targeting of US critical infrastructure."
Through the EO, officials must ensure that providers offering US IaaS products verify the identity of those obtaining IaaS accounts and maintain records of those transactions, to potentially avoid supply chain attacks against US interests. More robust record-keeping practices and user identification and verification standards will better assist investigative efforts, government officials stress. Under the mandate, the secretary of commerce may choose to exempt US IaaS providers demonstrating security compliance. Proposed regulations may also enable providers to institute "special measures," such as prohibition or specific conditions against foreign jurisdictions or individuals shown to be engaged in harmful cyber activity.
Among other specific fields, Commerce seeks input on the following:
- Ways to implement these requirements.
- Ways the records requests differ from data already stored by IaaS providers.
- Whether providers have the "capacity or capability to augment technical identity verification (e.g., 2FA) with additional, non-technical vetting (third-party person/entity vouching)".
- Types of analyses currently used to detect terms-of-service violations;
- Ways to limit the potential burden on IaaS providers in implementing the order.
- How the European Union General Data Protection Regulation, or GDPR; the California Consumer Privacy Act, or CCPA; or other data protection and security regulations affect providers’ ability to fulfill record-keeping requirements.
- Best practices for compliance and enforcement.
- Guidelines for exemptions for compliant providers.
- The approach for imposing conditions on problematic accounts or jurisdictions.
- Whether there are existing fraud prevention regimens that would enable consistent discovery of fake names, government documents and other identification records used to create IaaS accounts.
In a letter to Congress regarding the executive order on 19 January 2021, then-President Trump said, "Foreign actors use [IaaS] for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for US officials to track and obtain information through legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities."
On 20 January 2021, the new White House chief of staff Ron Klain issued a memorandum instructing agencies to freeze or delay implementation of regulatory actions that were pending under the Trump administration. It signified a likely delay in the rollout of EO 13984. According to attorneys at the firm Baker McKenzie, the initial EO "raises important concerns with respect to implementing safeguards to reduce the use of IaaS products and services in the U.S. by malicious foreign actors." The attorneys noted, "[As written] EO 13984 does not [however] address any of the concerns that might be raised with respect to what measures can be implemented to respect individual privacy rights, nor does it address what measures can be taken to minimize the potential additional liability of requiring companies to store and maintain certain categories of sensitive personal data."
In its latest notice and request for comment, Commerce appears to be addressing these privacy and/or jurisdictional concerns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings