On January 19, 2021, then President Trump issued Executive Order 13984 (“EO 13984”), “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities” which amends and expands Executive Order 13694 of April 1, 2015, to detect and deter the use of US infrastructure as a service (“IaaS”) products by foreign malicious cyber actors. Specifically, EO 13984 directs the US Department of Commerce (Commerce) to (i) issue regulations to detect and deter the use of US IaaS products in malicious cyber-enabled activities primarily via identity verification requirements and to (ii) coordinate with other US government agencies to impose “special measures” against certain foreign persons and/or foreign jurisdictions.
There is no immediate regulatory change resulting from EO 13984, and the Biden administration may or may not delay or change the implementation of the regulations directed under EO 13984. However, cloud service providers and other IT service providers should closely monitor for any proposed regulations or other developments. Below we provide a summary of key issues under EO 13984.
Identity Verification Requirements
EO 13984 directs Commerce to propose regulations by July 18, 2021 (“Proposed Regulations”) to require US IaaS providers to verify the identity of foreign persons using their services. In doing so, the Proposed Regulations must set forth the minimum standards for US IaaS providers to verify the identity of foreign IaaS account holders, including:
- the documentation and procedures required to verify the identity of foreign lessees/sub-lessees of IaaS products;
- records that US IaaS providers must maintain regarding foreign IaaS account holders (e.g., a foreign account holder’s name, national identification number, address, payment methods, and associated financial identifiers, including credit card number, email address, phone number, IP address, and date and time of the foreign account holder’s activities in connection with the account); and
- methods for securing the above information.
However, Commerce may also exempt any US IaaS provider if Commerce finds that such US IaaS provider complies with security best practices to otherwise deter abuse of IaaS products.
US IaaS provider is defined as any United States person (US citizen, lawful permanent resident, entity organized under the laws of the United States or any jurisdiction within the United States (including foreign branches) or any person located in the United States) that offers an “IaaS product”, itself defined to mean “any product or service offered to a consumer, including complementary or ‘trial’ offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications…” The definition of IaaS product is not limited to “dedicated” environments and expressly includes ” ‘virtualized’ products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet.”
“Special Measures” for Certain Foreign Jurisdictions or Foreign Persons
EO 13984 also directs the Proposed Regulations to address “special measures” for IaaS providers to take against certain foreign jurisdictions and/or foreign persons. “Special measures” can include prohibitions or conditions on the opening or maintaining of an “IaaS Account,” including a “Reseller Account,” in respect of:
(i) a foreign jurisdiction which has a significant number of foreign persons offering or obtaining US IaaS products to be used for malicious cyber-enabled activities (i.e., activities that seek to compromise or impair the confidentiality, integrity, or availability of computer, information, or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon); and
(ii) a foreign person who has a pattern of offering or obtaining US IaaS products to be used in malicious cyber-enabled activities.
“IaaS Account” means a formal business relationship established to provide IaaS products to a person in which details or such transactions are recorded, and “Reseller Account” means an IaaS account established to provide IaaS products to a person who will then offer those products subsequently, in whole or in part, to a third party.
EO 13984 also requires Commerce to consider several factors before imposing “special measures” against a foreign jurisdiction: (i) evidence that foreign malicious cyber actors have obtained US IaaS products offered in that foreign jurisdiction; (ii) the extent to which that foreign jurisdiction is a source of malicious cyber-enabled activities; and (iii) the difficulty in detecting and punishing malicious activities involving US IaaS products and relating to that jurisdiction. Regarding a foreign person, Commerce should consider (i) the extent to which a foreign person uses or offers US IaaS products for malicious cyber-enabled activities vis-à-vis legitimate purposes; and (ii) effective alternatives to the imposition of special measures.
EO 13984 also directs Commerce and other agencies to engage and solicit feedback from industry by May 19, 2021 on how to increase information sharing and collaboration among US IaaS providers and between US IaaS providers and relevant agencies. Agencies are also required to submit a report to the President by September 16, 2021, to give recommendations on encouraging information sharing and collaboration as well as on facilitating the defection of IaaS accounts and activities that involve foreign malicious cyber actions.
While EO 13984 raises important concerns with respect to implementing safeguards to reduce the use of IaaS products and services in the United States by malicious foreign actors, the standards that will be addressed in the Proposed Regulations may have a significant impact on many businesses operating in the United States given the broad definition of IaaS products. EO 13984 does not address any of the concerns that might be raised with respect to what measures can be implemented to respect individual privacy rights, nor does it address what measures can be taken to minimize the potential additional liability of requiring companies to store and maintain certain categories of sensitive personal data, including financial account information. For now, companies currently providing IaaS products should continue to monitor and evaluate Commerce’s actions and look for opportunities to engage in meaningful industry dialogue with Commerce on the scope of such Proposed Regulations.