Among the last acts of the Trump Administration is an executive order aimed at blocking foreign adversaries from using cloud computing platforms in attacks against the United States.
Under the order, Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities, the Commerce Department has 180 days to develop “know your customer” type of rules for infrastructure-as-a-service providers in the United States to verify the identities of foreign entities on the platform, take action if the platform is used maliciously, and maintain certain records.
Foreign malicious cyber actors aim to harm the United States economy through the theft of intellectual property and sensitive data and to threaten national security by targeting United States critical infrastructure for malicious cyber-enabled activities," the text of the executive order said. "This order provides authority to impose record-keeping obligations with respect to foreign transactions.
The idea itself isn’t novel. There are “Know Your Customer” rules in the financial services sector where organizations verify identity and collect information about their customers before making their products and services available. It is in the cloud providers’ interest to make sure that fraudulent identities aren't being used to create accounts or purchase infrastructure.
However, details matter. Depending on how the Commerce Department defines the rules, the providers will have to figure out the mechanics of data collection and verification of foreign customers. This is going to be an extensive process, especially since many providers rely on a deep network of resellers to sell their services. KYC-related tasks of collecting, verifying, and storing information can be beyond the resources of many of these resellers for the cloud providers, especially those that are resellers of those resellers and don't deal directly with the actual provider. That raises the issue of how these entities would be handling, and potentially sharing, this data.
IAAS providers still have to figure out how to run an international intelligence data operation, verify real IDs of foreign customers, & resellers’ customers," Katie Moussouris, founder of Luta Security, said on Twitter shortly after the order was released. "That said, having heard enough hums of a similar melody recently in context of #SolarWinds with lawmakers & policy makers, I don’t expect this tune to fade too far out of earshot in the next administration.
Moussouris urged security professionals to "Pay attention," and "Provide constructive feedback" when Commerce releases its proposal in six months for public feedback.
The language in the executive order—"extent to which persons in the US are compromised or unwittingly involved in activity”—suggests that the data collection wouldn't be just limited to foreign entities, and that people in the United States could wind up finding their information included in these verification activities. It could also apply to Americans who work for foreign-owned businesses.
Another question left for Commerce to figure out is how infrastructure would be defined for providers such as Amazon Web Services, Google, and Microsoft, which has data centers outside the United States.
"Malign actor abuse of United States IaaS products has played a role in every cyber incident during the last four years, including the actions resulting in the penetrations of United States firms FireEye and Solar Winds," national security advisor Robert C O' Brien, said in a National Security Council statement. The aim of the order is to reduce “malign actors' access to and ability to use United States ICTs [information and communications technologies] products for nefarious purposes.”
A separate executive order demanded federal agencies to perform a security assessment of drones involved in federal activities which had been sourced from China and countries considered to be "foreign adversaries." The risk assessment would also need to include steps to mitigate risk, even if it means removing the drones entirely from federal service. The order covers drones used for various purposes, including mapping, disaster assistance, surveillance, infrastructure inspections, and for military functions. The list of countries considered to be a foreign adversary includes Russia, Iran, and North Korea.