Trump’s last-day order clamps down on foreign access to US-based IaaS
- By Justin Katz
- Jan 21, 2021
On the final night of his presidency, Donald Trump issued an executive order aimed at forcing cloud providers to capture more complete records about foreign customers who lease cloud infrastructure and resell it to cyber attackers. The EO directly targets foreigners’ use of infrastructure-as-a-service (IaaS) products, which makes it difficult for U.S. officials to track and obtain information and allows malicious actors to evade detection, according to a letter Trump wrote to Congress that was publicly released in the evening of Jan. 19.
To address those threats, the EO states, the government will move to require IaaS providers to keep more complete records of foreign entities that they sell to – including verifying the identity and payment records of those obtaining an IaaS account and any foreign person acting as a lessee of these products or services -- and potentially require companies to limit access for "certain foreign actors."
The secretaries of commerce, state, treasury, defense, homeland security, the attorney general and the director of national intelligence have discretion on which foreign entities could be barred through the executive order.
Crowdstrike founder and former CTO Dmitri Alperovitch said on Twitter that the policy outlined in the order could have helped the government gather more information in the wake of the SolarWinds Orion breach. In that breach, Alperovitch said, hackers "exclusively used US cloud infrastructure to make it difficult for US intelligence community to track them." He added that "requirements like this one can go a long way to move these actors offshore and make it easier for [the government] to track them. One potential downside -- the requirements can be quite onerous/expensive for smaller providers and may lose them foreign business."
It is not clear whether President Joe Biden's administration will enforce the executive order. Ahead of the inauguration, Biden's transition team published a list of executive orders he'd immediately sign to undo certain Trump administration policies.
The Trump order has a six-month comment period.
This article was first posted to FCW, a sibling site to GCN.
Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.