Analysts question viability of last-minute executive order from Trump on IaaS companies’ foreign users

In response to the Solar Winds attack, the order forces cloud companies to keep the names, addresses, emails, credit card numbers, and more, any time cloud services are used.

shutterstock272183825.jpg

Shutterstock / Andrew Cline

In one of former President Donald Trump’s last acts in office, he signed an executive order that forces US cloud companies to keep track of any foreign customers.

More about cybersecurity

The executive order also allows the Department of Commerce to block certain IaaS companies from providing services to known hackers, people known to have sold accounts to hackers, or people from countries that have been the source of many cloud-enabled cyberattacks. 

In a statement, National Security Adviser Robert O’Brien said the executive order “closes a longstanding, critical, security loophole for United States Infrastructure as a Service products, one abused by those seeking to harm our country.” 

He added that it “reduces malign actors’ access to and ability to use United States information technology and communication services products for nefarious purposes” and mentioned the devastating Solar Winds attack that is still plaguing the United States government. 

The order forces cloud companies to keep the names, addresses, emails, national identification numbers, credit card numbers, phone numbers, IP addresses, and more information any time cloud services are used. 

Multiple analysts questioned the timing of the executive order and slammed it for largely being ineffective in light of the struggles the government is facing in understanding the scope of the Solar Winds attack. 

“I don’t think this accomplishes anything but it isn’t meant to—it is meant to look good on paper, if only to those who don’t understand cybersecurity,” said Chloé Messdaghi, chief strategist at cybersecurity company Point3 Security. 

SEE: Top 5 programming languages for systems admins to learn (free PDF) (TechRepublic)

“Those in the cybersecurity community see this as a toothless and feckless act that signals ‘I’m doing something on my way out the door.’ It’s toothless because attackers don’t honor laws or regulations, do they? It’s an empty, meaningless gesture,” Messdaghi added. 

Dirk Schrader, global vice president at New Net Technologies questioned what companies would think when looking at an executive order like this considering all of them rely on customers abroad for significant parts of their business.

“Microsoft, Amazon, Google, and many smaller US-based IaaS providers will read this and say ‘what?’ Their global business models depend on resellers and integrators in foreign countries, they all have business entities across the globe,” he noted. 

“In addition, data privacy regulators in the EU will for sure be keen to see the proposed US regulations, especially in the light of the recent Schrems-II decision that rendered the ‘Privacy Shield’ invalid, the successor of the ‘Safe Harbor’ agreement. A requirement to retain personal data about European users, as mentioned in that executive order, will trigger their interest.”

Saryu Nayyar, CEO of cybersecurity firm Gurucul, said the usefulness of the order will depend on what rules, if any, come out of it.  

Nayyar explained that it simply declares “do something about the problem” without giving any guidance on specifically what needs to be done. 

“What ultimately comes of this will depend on the new administration having the Commerce Department follow the order and what rules they ultimately institute.  Ideally, the rules would be designed to stop malicious actors regardless of their origin, whether foreign or domestic,” Nayyar said. 

OneLogin global data protection officer Niamh Muldoon questioned the executive order because IaaS and other cloud-based product offerings have helped allow the global economy and society to keep moving forward during this pandemic. 

Balancing the associated cost and risk with the delivery of services is what differentiates these platforms and application providers, which are built on a foundation of secure identity and access management, Muldoon added.

But some analysts said the onus will fall on President Joe Biden to figure out how to implement an order like this. 

“It is clear that various bad actors will continue to aggressively and creatively target critical U.S. infrastructure, including public cloud infrastructure,” said Douglas Murray, CEO of software company Valtix. “It is important that the Biden administration makes cybersecurity a top priority for our national and economic defense moving forward.”

Also see