In one of his final executive orders before closing his controversial term as President of the United States, Donald Trump has issued an executive order requiring US-based infrastructure-as-a-service (IaaS) providers to verify and keep records on foreign customers.
As reported by ZDNet, Trump signed an executive order on 19 January mandating that vendors of US-based IaaS products verify the identity of people obtaining an IaaS account for the provision of such products and maintain records of those transactions.
The executive order describes its use of the term IaaS as referring to products that provide users with the ability to run software and store data on servers offered for rent or lease without responsibility for the maintenance and operating costs of those servers.
So, basically, cloud services.
The rationale behind the requirement, according to the executive order, primarily revolves around the issue of national security, with the order suggesting that foreign actors are known to use US-based IaaS products to carry out cyber attacks.
By ordering providers to verify the identity of their foreign customers and keep records, it is hoped the US can keep better tabs on malicious actors and more effectively combat their actions.
“This order provides authority to impose record-keeping obligations with respect to foreign transactions,” the executive order stated. “To address these threats, to deter foreign malicious cyber actors’ use of United States IaaS products, and to assist in the investigation of transactions involving foreign malicious cyber actors, the United States must ensure that providers offering United States IaaS products verify the identity of persons obtaining an IaaS account...for the provision of these products and maintain records of those transactions.
“In appropriate circumstances, to further protect against malicious cyber-enabled activities, the United States must also limit certain foreign actors’ access to United States IaaS products.
“Further, the United States must encourage more robust cooperation among United States IaaS providers, including by increasing voluntary information sharing, to bolster efforts to thwart the actions of foreign malicious cyber actors.”
The records that need to be kept by IaaS vendors include the identity of foreign clients and their information, including names, national identification numbers and addresses.
Additionally, the users’ means and source of payment (including any associated financial institution and other identifiers such as credit card number, account number, customer identifier, transaction identifiers, or virtual currency wallet or wallet address identifier) must be retained.
How the order will directly impact cloud and IaaS vendors based in the US remains to be seen, as does whether the order will be reversed or annulled by the incoming President, Joe Biden.
Regardless, from the perspective of outgoing US National Security Advisor Robert C. O’Brien, the executive order closes what he claimed is a longstanding, critical, security loophole for US-based IaaS products, one abused by those seeking to harm the country.
“Today’s action by the President is a major step forward in giving our nation’s network defenders and investigators an advantage in protecting the American people from those wishing to do us harm,” he said in a statement.