Author: Tom Wadlow
As the curtain fell on one of the most unconventional, eventful and arguably controversial presidential terms in American history, outgoing White House occupant Donald Trump signed a raft of Executive Orders as Joe Biden officially took over as the country’s 46th President.
Among them, a directive which seeks to thwart foreign cyber operators from using US infrastructure to launch malicious attacks.
The Order, titled ‘Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities’, is designed to reduce access to and the ability to use American information communication technology services for nefarious purposes, according to National Security Advisor Robert C. O’Brien.
In a statement announcing the move on January 20, he said: “Today, President Donald J. Trump signed an Executive Order that closes a longstanding, critical, security loophole for United States Infrastructure as a Service (IaaS) products, one abused by those seeking to harm our country.”
The move by the former President is believed to be in response to recent high-profile hacks which have infiltrated US organisations, the most notable being the attack which infected software at SolarWinds, a campaign which also targeted government agencies. The foreign hackers managed to access the company’s infrastructure and install malware in a software update – exactly the sort of activity this Executive Order is designed to prevent.
So, how does the directive aim to do this and what could it mean for businesses?
Former President Trump affirms in the Executive Order document: “To address these threats, to deter foreign malicious cyber actors’ use of United States IaaS products, and to assist in the investigation of transactions involving foreign malicious cyber actors, the United States must ensure that providers offering United States IaaS products verify the identity of persons obtaining an IaaS account for the provision of these products and maintain records of those transactions.”
In short, the Order provides the United States Department of Commerce with the power to impose record-keeping on foreign transactions and, if necessary, block American infrastructure companies from doing business in countries where their products are used as launchpads for cyber-attacks (by individuals or even governments).
Similar powers are granted to block foreign operators who have accounts with US-based organisations, if said operators are shown to be involved in malicious activity.
“Foreign malicious cyber actors threaten our economy and national security through the theft of intellectual property and sensitive data, and by targeting United States critical infrastructure,” O’Brien’s statement added.
“By gaining access to United States infrastructure-as-a-service (IaaS) products, foreign actors can steal the fruits of American innovation and prepare destructive attacks on our nation’s critical infrastructure with anonymity. Malign actor abuse of United States IaaS products has played a role in every cyber incident during the last four years, including the actions resulting in the penetrations of United States firms FireEye and Solar Winds.
“Today’s action by the President is a major step forward in giving our nation’s network defenders and investigators an advantage in protecting the American people from those wishing to do us harm.”
If the Order makes it into US law, businesses will have to be prepared to prove the security of their business with foreign entities both at home and abroad.
It would result in new customer vetting regulations for IaaS providers (including tech giants like Google, Amazon and Microsoft), as well as record-keeping requirements for foreign customers, including sales made through resellers, an avenue often used by cyber criminals in order to hide their identity before carrying out attacks.
For smaller businesses, the processes involved could strain resources in a more challenging way.
Reacting to the announcement, Founder of American cyber firm Luta Security Katie Moussouris tweeted: “IaaS providers still have to figure out how to run an international intelligence data operation, verify real IDs of foreign customers, and resellers’ customers.
“That said, having heard enough hums of a similar melody recently in context of #SolarWinds with lawmakers and policy makers, I don’t expect this tune to fade too far out of earshot in the next administration.”
And there is no denying that malicious cyber activities have had devastating consequences, not only in terms of national security but also financially. According to the FBI’s annual Internet Crime Report, for example, cybercrime cost American businesses and individuals more than $3.5 billion in 2019.
Following the Solar Winds breach there is wide recognition of the need to strengthen domestic cybersecurity defences, and this proposal has been met with a mixed response from industry protagonists.
Jon DiMaggio of Virginia-based cyber-threat analyst firm Analystl told Bloomberg that he welcomed the move.
He said: “It certainly isn’t the first time supply chain attacks have happened, nor is it the first time the US government has been aware of the problem. It’s about time we started looking past the vendor cost to determine what technology we allow to support critical government infrastructure.”
However, major doubts remain as to whether the directive will make a genuine positive impact.
“The way I see it, Trump’s Executive Order is like a kid playing with his squirt gun in the middle of a war zone,” commented Maria Sirbu, VP of Corporate Communications at global IaaS provider Voxility.
“The chances of having any real influence on the bad guys are so infirm that I am afraid it will work the opposite – giving bad actors more options to look compliant and avoid being identified, if it goes through in the first place.
“Executive Orders need to start with real measures for internet regulations, more visibility into cloud giants, acting agaisnt hate speech and hate crime, harassment and so on. With a few thousand Executive Orders in place on different fronts we might see some differences. Cyberattacks are far more sizeable than cloud and IaaS, however, and the more we talk about ‘digitalisation’, the more incidents we’ll see.
“In terms of the burdens this will place on businesses having to comply, I see it transforming into a war itself. In a way, the European Union is fighting to protect privacy rights as best it can with full enforcement of GDPR and other privacy related laws, while the US wants less privacy by ordering companies to collect data on foreign actors. I do not see it ending well. For sure, we will witness an extended comment period allowing all actors (hopefully) to submit an input and that will be a decisive moment. However, I personally wonder if the internet is not too big already to be regulated.”
It is important to note that any new reporting regulations are far from becoming a reality at the current time.
An Executive Order is only the beginning of the process – the fate of the Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities directive ultimately lies in the hands of the Biden administration.
Indeed, the new President has the ability to overturn any Executive Orders made by his predecessor, and the cyber reporting directive could feasibly be among those which are revoked or altered as it journeys towards implementation. The Department of Commerce has six months to draft and propose regulations, by which time President Biden could have issued another Executive Order to amend or stop it in its tracks.