Taking Additional Steps To Address Malicious Cyber-Enabled Activities
Jan 25, 2021
Signed by: Donald Trump
Signed on: Jan 19, 2021
Published on: Jan 25, 2021
Jan 25, 2021
Signed by: Donald Trump
Signed on: Jan 19, 2021
Published on: Jan 25, 2021
Summary
Requires US cloud service providers to check the identity of foreign customers to stop bad actors from using their services for harmful cyber attacks.
What problem does this solve?
Foreign bad actors use American cloud computing services to launch cyber attacks and steal information because it is easy to hide their identity. This order requires cloud service providers to verify who their foreign customers are, making it harder for criminals to hide and easier for officials to track them.
What does this order do?
Requires identity checks for foreign cloud service users
Directs the Secretary of Commerce to create rules forcing U.S. cloud service (IaaS) providers to verify the identity of any foreign person who opens an account.
Establishes new record-keeping rules
Mandates that cloud providers must keep records of foreign users, including their name, address, payment information, email, phone number, and IP addresses.
Reference
Text:
Section:
Header:
Special measures for certain foreign jurisdictions or foreign persons
Allows blocking users from certain countries
Authorizes the Secretary of Commerce to prohibit or restrict U.S. cloud providers from offering services to people in foreign countries known for malicious cyber activity.
Reference
Text:
Section:
Header:
Recommendations for cooperative efforts to deter the abuse of united states iaas products
Promotes information sharing between government and industry
Requires the Attorney General and Secretary of Homeland Security to develop recommendations for better information sharing among cloud providers and with the government to stop cyber threats.
Who does this affect?
- U.S. Infrastructure as a Service (IaaS) providers
- Foreign individuals and businesses using U.S. IaaS products
- U.S. National Security and Law Enforcement agencies
What is the real world impact?
•
Raises privacy concerns
Requires companies to collect and store more personal data on foreign users, including payment details and IP addresses. This creates a new, valuable target for hackers and could lead to privacy violations if the data is breached.
•
Protects national security from foreign cyber threats
Stops foreign actors from using American internet infrastructure to launch cyber attacks against the United States, steal secret information, or damage critical systems like power grids and banks.
•
Increases compliance costs for cloud companies
Places new burdens on U.S. cloud service providers to verify and keep records on all foreign customers. This could make American companies less competitive than foreign ones that do not have these rules.
When does this start?
This order takes effect immediately and sets several deadlines for federal agencies to create new rules.
Deadline for new identity verification rules
Within 180 days (by July 18, 2021), the Secretary of Commerce must propose regulations requiring cloud service providers to verify the identity of foreign customers.
Deadline for rules on high-risk countries
Within 180 days (by July 18, 2021), the Secretary of Commerce must propose regulations for taking special measures, like blocking services, against certain foreign countries or people.
Deadline for information sharing report
Within 240 days (by September 16, 2021), the Attorney General and Secretary of Homeland Security must give the President a report on how to improve information sharing with cloud providers.
Deadline for industry feedback
Within 120 days (by May 19, 2021), the Attorney General and Secretary of Homeland Security must ask for feedback from the tech industry on collaboration.