Cloud Security, Compliance Management, Industry Regulations

Last-minute Trump order adds new security regulation to cloud providers

An eleventh-hour executive order from then-president Donald Trump will require infrastructure-as-a-service providers to log the identity of foreign clients.

Though Trump has exited the White House and a new administration has taken over, the executive order will stand, unless specifically repealed by new President Joe Biden.

By decree, the Department of Commerce has 180 days to instate regulations requiring IaaS services, defined as cloud services that allow users to run software that is not predefined, to verify the identity of all foreign customers. The secretary of Commerce is also directed to establish which, if any, foreign countries or persons should be universally denied service.

Similar "know your customer" rules exist in the financial sector. The order was signed Tuesday, Trump's last day in office.

Trump National Security Advisor Robert O'Brien wrote in a statement: "Malign actor abuse of United States IaaS products has played a role in every cyber incident during the last four years, including the actions resulting in the penetrations of United States firms FireEye and Solar Winds."

Some of the biggest IaaS providers were thorns in Trump's side, also contributing to the ultimate de-platforming of Parler, including Amazon, Google and Apple. That fact led to rampant speculation on social media that the EO was a last-second parting shot.

"Certainly, that's a logical conclusion to reach; the timing on it is very strange," said Michael Daniel, former White House cybersecurity czar and current president and CEO of the Cyber Threat Alliance, an industry threat sharing group. "I don't think it's the logical origin of the order."

In truth, the EO has been in the works since at least early December, when Politico first wrote about its being drafted.

"If the goal is to be able to cut down on malicious use of cloud infrastructure, that's a noble goal," said Daniel, who also questioned whether the tactic would prove an effective mechanism to fight malicious usage of cloud infrastructure. Hackers, including those in the SolarWinds breach cited by O'Brien, often use hacked cloud accounts in attacks rather than sign up for new ones. Hackers also have access to stolen identities, which they can use to set up a new account.

Security, policy and cloud technology spectators do point to several risks tied to the EO, all of which depend largely on how the Department of Commerce chooses to implement the rule.

"Implemented stupidly, this could affect that dominance," said Daniel.

Some expressed concern that the rule could run afoul of European Union standards, for example, just as the U.S. tries to negotiate a new data transfer pact. Others pointed to the cost of compliance, which could threaten the United States current dominance in the cloud market.

That said, the burden of compliance may harm new companies more than established ones.

"Smaller players may inadvertently become more affected by it," said Elizabeth Wharton, chief of staff at the security firm Scythe. A two-person company likely will not have the same capacity for compliance as Google.

Therefore, she added, "this might lead to the outsourcing of identity verification to services like Google and Apple."

Wharton noted that while the new rules may only have a minimal effect against hackers who leverage stolen accounts for use in attacks, it may have a bigger effect on copyright-infringing streaming websites that use IaaS.

IaaS firms that spoke to SC Media said they would take a wait and see approach to see what, if any, final regulation comes about.

"If the intention of the cited EO was to limit the accessibility of cloud services to embargoed countries, then the EO is unnecessary and redundant. If the intention of the cited EO was to create a class of services subject to general embargo, then the EO fails for a slew of statutory and constitutional reasons," wrote Mike Maney of cloud provider Linode in an email. "In either path, we arrive at an outcome where OSPs will not likely have to take action."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.