On January 19, 2021, President Trump issued Executive Order (EO) 13984, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities” (86 Fed. Reg. 6,837 (Jan. 25, 2021)), taking further action under the national emergency declared by President Obama in Executive Order 13694 of April 1, 2015. EO 13984 directs the US Department of Commerce (Commerce) to: (1) promulgate know-your-customer (KYC)-type identification and recordkeeping obligations on US “Infrastructure as a Service” (IaaS) providers engaging in foreign transactions, and (2) consult with other US government agencies to impose “special measures,” i.e., restrictions, on foreign jurisdictions and persons, i.e., actors, determined to be using US IaaS to engage in significant malicious cyber activities.
The EO describes IaaS as “products to provide persons the ability to run software and store data on servers offered for rent or lease without responsibility for the maintenance and operating costs of those servers,” and includes a lengthy definition of different types of IaaS products that are covered by the EO. Although some reports have focused on the impact that EO 13984 may have on cloud service providers, the EO’s broad definition for IaaS could sweep in other information technology service providers operating in the US.
The EO is not effective immediately, and may not go into effect for several months or longer. The EO directs Commerce “to propose for notice and comment” regulations within 180 days implementing the KYC and “special measures” directives described above. In addition, EO 13984 was issued by President Trump at the very end of his administration, and it is possible that the Biden Administration will delay implementation for a longer period of time as it reviews the legal and policy implications of the EO.
More specifically:
- Section 1 of the EO directs Commerce to issue proposed rules within 180 days requiring US IaaS providers to verify and maintain records documenting the identity of foreign persons that open and maintain “Accounts” or lease or sub-lease them.
- The section directs adoption of minimum standards for identity verification procedures and the maintenance of records, such as name, address, nationality identity number, point of contact, payment, and Internet Protocol information, among other data requirements.
- US IaaS providers are also responsible for implementing measures to safeguard such information and limit all third-party access to the information, except where permitted under applicable law.
- Commerce is permitted, in consultation with the US Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, to exempt US IaaS providers, or any specific type of Account or lessee, from these requirements, such as for compliance with security best practices to deter abuse of IaaS products.
- Section 2 of the EO directs Commerce to issue proposed rules within 180 days imposing “special measures” on foreign persons or foreign jurisdictions engaged in malicious cyber-related activities, including the prohibition of, or conditions on, the opening or maintaining of an “Account,” including a “Reseller Account,” with any US IaaS provider or otherwise located in the United States.
- Foreign persons or foreign jurisdictions may be subject to special measures if Commerce, in consultation with the Secretary of State, the Secretary of the Treasury, and the other US government agencies identified above, determines, based on “reasonable grounds,” that:
- a foreign jurisdiction has a significant number of foreign persons offering US IaaS products for, or directly obtaining US IaaS products for use in, malicious cyber-enabled activities; or
- a foreign person has established a pattern of conduct of offering US IaaS that are used for, or directly obtaining United States IaaS products for use in, malicious cyber-enabled activities.
- Foreign persons or foreign jurisdictions may be subject to special measures if Commerce, in consultation with the Secretary of State, the Secretary of the Treasury, and the other US government agencies identified above, determines, based on “reasonable grounds,” that:
The EO identifies a number of factors to be applied in deciding whether a foreign jurisdiction or foreign person has engaged in malicious cyber-enabled activities using IaaS.
- Upon making such a finding, Commerce is permitted to impose “special measures,” including prohibition of, or conditions on, the opening or maintaining with any US IaaS provider or in the United States of an “Account,” including a “Reseller Account”:
- By any foreign jurisdiction found to have any significant number of foreign persons offering or using US IaaS products for malicious cyber-enabled activities; and
- For or on behalf of any foreign person found to be offering or directly obtaining US IaaS products used in for use in malicious cyber-enabled activities.
- These special measures are roughly analogous to the provisions of Section 311 of the USA PATRIOT Act of 2001, as amended, applicable to foreign jurisdictions, financial institutions, transactions, and accounts of “primary money laundering concern,” as well as KYC requirements for US financial institutions.
Finally, Section 3 of EO 13984 directs the US government to recommend measures to deter the abuse of US IaaS products, Section 4 authorizes the identification of funding requirements and sufficient resources to execute the EO, and Section 5 provides definitions for certain terms.
In a letter to Congress regarding the Executive Order on January 19, President Trump explained that “[f]oreign actors use [IaaS] for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for United States officials to track and obtain information through legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities.”
To date, the Biden Administration has not taken any formal position with regard to EO 13984, which was one of several Presidential and Executive agency national security-related regulatory actions taken during the last few days of the Trump Administration. On January 20, 2021, White House Chief of State Ron Klain issued a memorandum, “Regulatory Freeze Pending Review,” that instructed agencies to take a number of actions with respect to freeze or delay implementation of regulations that were pending as of the end of the Trump Administration. While the Klain memorandum does not directly impact the timeframes for rulemaking in EO 13984, it signifies an intent by the Biden Administration to take a close look at any regulatory policy changes that were initiated at the end of the Trump Administration. It is possible, therefore, that there may be some additional delay in Commerce’s implementation of EO 13984.
Issuance of the Executive Order does not immediately change the regulatory landscape, but sets the stage for Commerce to propose regulations for notice and comment in the coming months. Accordingly, US IaaS providers, including those offering Accounts and Reseller Accounts, and their customers should monitor regulatory developments in this area.