An Analysis of the Trump Administration’s Final Cyber-Focused Executive Order
By Peter Machtiger
On former President Trump’s last full day in office, he released one last Executive Order (EO) aimed at preventing malicious cyber-enabled activities. While incoming President Biden has issued a “regulatory freeze memo” to allow his administration to review any so-called “midnight regulations” issued by President Trump before they move forward, it is worth parsing this EO closely. The incoming Biden administration is full of officials with strong cyber backgrounds and portions of this EO may be incorporated into a larger Biden cyber plan.
What is the purpose of the Executive Order?
This EO builds on an Obama administration EO (EO 13694), which declared foreign malicious cyber-enabled activities to be a national emergency. This national emergency declaration by the Obama administration unlocked legal authority under the National Emergencies Act (NEA) and the International Emergency Economic Powers Act (IEEPA) for the steps outlined in the new Trump EO.
The new EO takes aim at foreign use of “infrastructure as a service” (IaaS) products, a type of cloud computing simply defined in the EO as products that “provide persons the ability to run software and store data on servers offered for rent or lease without responsibility for the maintenance and operating costs of those servers” (the EO also contains a longer, more technical definition). The concern, according to an administration official, is that individuals will rent computing infrastructure inside the U.S. and resell that infrastructure access to foreign actors that will use it for malicious activities. The EO essentially lays the groundwork for establishing “Know Your Customer” requirements for cloud computing services. According to the EO and a statement by then-National Security Advisor Robert O’Brien, the EO seeks to combat the “theft of intellectual property and sensitive data” and threats to U.S. critical infrastructure by foreign actors facilitated by IaaS products. While O’Brien’s statement mentions the recent cyber incident affecting SolarWinds, FireEye, and countless other companies, this EO is rumored to have been drafted prior to the election and one official has even indicated that it has been in the works for two years.
What does the Executive Order say?
The EO does not mandate any immediate actions for private sector actors, but lays out requirements for government agencies to propose regulations for public notice and comment and provide a report to the president. The basic upshot is that the government wants U.S. IaaS providers to verify the identities of foreign customers, keep records of those customers, and potentially refuse to do business with customers from foreign countries where lots of IaaS-enabled cyberattacks originate, resellers who provide IaaS products to malicious cyber actors, and known individuals involved in malicious cyber activities.
First, the EO calls for the Secretary of Commerce to propose within 6 months regulations that would require U.S. IaaS providers to verify the identity of any foreign customers, including the customers of resellers. These regulations would dictate the minimum documentation and procedures for verification and the record-keeping requirements for verification information, such as a customer’s name, national identification number, physical address, payment information, email address, phone number, and IP address. However, the EO asks the Secretary of Commerce to avoid imposing an “undue burden” on IaaS providers and to outline an exemption provision for U.S. IaaS providers or account types or customers that comply with security best practices to deter malicious cyber-enabled activities. This exemption designation would come after consultation between the Secretaries of Commerce, Defense, and Homeland Security, as well as the Attorney General and the Director of National Intelligence.
In tandem, the EO requires regulations outlining the measures U.S. IaaS providers would be required to take upon a finding by the Secretary of Commerce that a particular foreign jurisdiction has a significant number of foreign persons offering U.S. IaaS products that are used maliciously or that a particular foreign person has a habit of offering U.S. IaaS products that are used maliciously. These required measures could include conditions or a complete prohibition on accounts (including resellers) in certain foreign jurisdictions or by certain foreign persons. The finding imposing such measures would be made in consultation with the Secretaries of State, Treasury, Defense, and Homeland Security, as well as the Attorney General and the DNI. The government would consider the extent of the malicious use; the existence of a mutual legal assistance treaty with the foreign jurisdiction and the jurisdiction’s level of cooperation with U.S. officials; the extent to which a certain measure would create a significant competitive disadvantage or have a significant adverse effect on legitimate business activities; and the implications of any measure on U.S. national security, law enforcement investigations, or foreign policy.
The EO also gives the Attorney General and the Secretary of Homeland Security four months to consult with private actors within the IaaS industry on how to increase information sharing and collaboration within the private sector and between the private sector and the government. The Attorney General and the Secretary of Homeland Security then have four more months to produce a report for the president laying out the results of those conversations, information on the capabilities and tradecraft of malicious actors, the extent to which U.S. persons are unwittingly involved in the reselling of IaaS products that are used maliciously, recommended liability protections for U.S. IaaS providers, and recommendations for facilitating the detection and identification of foreign malicious cyber actors.
Finally, the EO directs the Secretary of Commerce to identify the funding requirements to support the above efforts.
What are the implications of the Executive Order?
Until the proposed regulations are released, it is difficult to know exactly what the implications of the above scheme would be. One official has indicated that the punitive measures outlined above would be “extraordinary” rather than routine, potentially for use as a leverage point in negotiations with another country for a mutual legal assistance treaty or information-sharing or law enforcement effort. Thus, one reading is that the EO primarily provides another “stick” that the U.S. can use against adversaries such as China, Iran, and Russia in response to malicious cyber activities. As countries try to navigate the issue of forceful cyber response without unnecessary escalation, it is helpful to have a multitude of tools, such as this one, to calibrate exactly the appropriate level of response.
There will almost certainly be implementation issues if the regulations go forward. Enforcing the identity verification provisions will place a heavy burden on smaller IaaS providers and further cement the market dominance of companies like Microsoft, Amazon, and Google, which can afford to implement and enforce costly regulations. In addition, these large companies would have more resources to lobby for exemptions if the exemption provision is enacted. Foreign cyber criminals will also likely use stolen or forged personal information and documents, which may be difficult for private companies to detect. As described above, the EO asks the Secretary of Commerce to avoid imposing an “undue burden” on IaaS providers; it seems likely that regulations following the criteria of the EO would place a heavy burden on most IaaS providers, placing heavy importance on how the government determines whether a burden is “undue.”
If IaaS providers are required to collect a customer’s name, national identification number, physical address, payment information, email address, phone number, and IP address, there may also be push-back from privacy advocates and regulators. Collecting that bundle of personal information from, for example, European customers and transmitting it to U.S. IaaS providers would seem to implicate the same concerns raised in the Court of Justice for the European Union’s decision in the Schrems II case, invalidating the Privacy Shield data-sharing agreement between the U.S. and E.U. Like Schrems II, these regulations could contribute to the balkanization of the internet.
As always, there is also a risk of international reciprocity. To take a recent example, the social media site Parler, popular among supporters of President Trump, is now supported by the infrastructure of a Russian company called DDoS-Guard after being dropped by Amazon Web Services. If Russia enacted similar regulations to the ones called for in the EO, Parler would be required to submit some collection of personal information to DDoS-Guard, which would then likely end up in the hands of the Russian government. The overall risk level from this scenario would be low and it would likely affect only a small number of American tech companies seeking overseas hosting, but the concern is there.
Finally, there may be implications for U.S. signals intelligence collection. If these regulations successfully pushed foreign malicious cyber actors away from U.S. IaaS providers and to foreign providers, collection of their activity would almost certainly fall under Executive Order 12333, which would allow the National Security Agency to intercept the electronic communications of those foreign actors on foreign servers much more freely. Without these regulations, if malicious foreign actors continued to use U.S. IaaS providers, the U.S. government would have to use Section 702 of the Foreign Intelligence Surveillance Act, a more burdensome process, to gain access to their electronic communications located on U.S. servers with the assistance of the U.S. providers.
Whether or not the Biden administration decides to move forward with this EO or rescind it, these issues are likely to come up again. With the extremely talented cyber team that the Biden administration is putting together, we can expect a comprehensive national cyber strategy, which may tackle this problem a different way. Luckily, if the latest National Defense Authorization Act is any indication, there appears to be bi-partisan support and momentum for hardening U.S. cyber defenses and improving cybersecurity coordination across the public and private sectors.
Peter Machtiger is a student at NYU School of Law, where he has been a Student Scholar at the Reiss Center on Law and Security, Co-President of the National Security Law Society, and currently serves as a Contributing Editor for NYU Wagner Review. Prior to law school, he was an infantry officer in the United States Marine Corps. Peter has a BA from Harvard University in Government.