Trump Orders IaaS Providers to Track Foreign UsersUnder Executive Order, Cloud Providers Must Vet Foreign Customers
In the waning hours of his presidency Tuesday, Donald Trump issued an executive order requiring U.S. infrastructure-as-a-service providers and other cloud service providers to maintain detailed records on foreign clients that could be used to help track down those committing cybercrimes.
See Also: 2023 Threat Horizons Report
"In appropriate circumstances, to further protect against malicious cyber-enabled activities, the United States must also limit certain foreign actors' access to United States IaaS products," Trump said in a letter about the executive order.
The order amends Executive Order 13694 issued by President Barack Obama in 2015.
"Foreign actors use United States IaaS products for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for United States officials to track and obtain information through the legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities," according to Trump's executive order.
President Joe Biden has the power to revoke any previously implemented executive order. But a list of executive orders he was expected to sign Wednesday did not include the IaaS order.
IaaS Provider Requirements
The Trump executive order looks to close loopholes that allow cloud services to be bought or leased without proper vetting of the customer.
The order instructs the Department of Commerce to propose regulations that require U.S. cloud service providers to verify the identity of any foreign person who obtains an IaaS account. This includes setting minimum standards that U.S. providers must adopt to verify the identity of a foreign person in connection with the opening of an account or maintenance of an existing account.
Under the order, the Commerce Department must also set standards for the types of documentation and procedures required to verify the identity of any foreign person acting as a lessee or sublessee of these products or services.
The cloud service provider will be required to gather personal information on any foreign person or entity setting up an account, even if it’s intended to be a complementary or trial offering, the order states.
Implementing the Order
The order also requires the attorney general, the secretary of the Department of Homeland Security, the Commerce Department secretary and other department heads to solicit feedback on how to increase information sharing and collaboration among cloud service providers and other federal agencies.
The agency heads must then prepare a report with recommendations for information sharing between the government and IaaS providers, including reporting of incidents, crimes and other threats to national security.