14 April 2023

Biden Executive Order to Fight Cyber Threats Will Backfire

Dan Gouré

The Biden administration has decided to implement Executive Order (EO) 13984, promulgated during the Trump years with the ponderous title “Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities.” While the objective is laudable, the approach the EO takes will likely backfire, making it more difficult to defend against threats while having the unintended consequence of harming U.S. industry and consumers.

The IT ecosystem is continually evolving, expanding, and becoming more complex. An example is the rapid growth and increased sophistication of cloud computing. One area of cloud computing that is growing rapidly is called Infrastructure as a Service (IaaS). In the IaaS model, the cloud provider offers users physical infrastructure that can include computing, data storage, and networking. The customer takes responsibility for acquiring, operating, and managing their applications and data.

The IaaS environment is increasingly popular with customers and thus a major target for malicious actors. IaaS poses some particularly difficult security challenges. The responsibility for security is shared between cloud service providers and their customers. Complicating the security situation is the fact that many customers acquire IaaS from multiple providers. Also, customers can acquire services for limited periods of time.

In addition, a whole ecosystem of cloud service resellers has emerged to act as middlemen between actual cloud operators and the customer base. As a consequence, it can be difficult to know the identity of customers, particularly those who are not citizens of the country in which the IaaS provider is operating. Similarly, malicious actors use the inherent flexibility of the IaaS model to rapidly move their activities between providers to escape detection and conduct hostile activities.

The EO focuses on the growing threat posed by foreign malign actors using IaaS products as a means for conducting malicious cyber activities. It is asserted that the fluid nature of the IaaS environment makes it particularly difficult to track foreign actors through existing legal means.

The core of the solution proposed in the EO is to require IaaS providers to verify the identity of their customers. If the customer is identified as a malign foreign actor, the U.S. government would have the broad authority to take special measures, including closing their accounts, preventing them from opening new accounts, or restricting the kinds of products they can access.

The EO and the draft implementing regulation being developed by the Department of Commerce would not significantly enhance the already substantial security measures undertaken by U.S. cloud providers. In addition, it would do little to deter or defeat malevolent actors, harm U.S. competitiveness, impede innovation in cloud technologies, and threaten the privacy of users, potentially including private citizens.

While motivated by a legitimate concern regarding malicious exploitation of IaaS products, the approach taken in the EO, and proposed rulemaking will not achieve the desired ends and may simultaneously have significant unintended consequences for U.S. businesses. As one major industry group observed: “[It] is our view that the Executive Order will not be effective in addressing abuse of Infrastructure as a Service (IaaS) products and will instead unfortunately undermine legitimate business activities as well as the competitiveness of U.S. Cloud Service Providers.”

Requiring IaaS providers to verify the identity of IaaS customers is not as simple as it sounds. There is no standard electronic means for validating customers’ identities. It is not clear how providers would differentiate foreign customers from domestic ones, or U.S. citizens operating in foreign countries. Documenting the identities of customers from some 140 countries would be a daunting and expensive undertaking. Requiring resellers to gather information to pass on to IaaS product providers just adds another layer of complexity to the effort.

But the key difficulty is that the proposed solution would not solve the problem. The malicious cyber actors that are the target of the EO have the sophistication and experience to provide false identities that would pass reasonable scrutiny. The result is likely to be the collection of lots of unnecessary information on legitimate customers with little effect on malicious actors.

In addition, the EO would likely unintentionally hamper the growing U.S. cloud services industry. Faced with demands for information, legitimate customers may eschew U.S. providers in favor of foreign companies with fewer restrictions. This reluctance to contract with U.S. providers would be exacerbated by concerns over the new broad powers the EO would give the U.S. government to restrict access to IaaS products by foreign customers.

IaaS providers are continually looking for ways of improving their services and providing new products. The requirement to verify a customer’s identity could raise the cost or reduce the utility of some new products so as to make them not cost-effective.

The EO raises serious privacy concerns. How will the information collected by cloud service providers be managed and secured? How will the personally identifiable information of legitimate customers be protected? Verifying the identity of customers in foreign countries could easily result in information being gathered on U.S. citizens. How will the information of U.S. citizens be protected?

Finally, it is not clear that additional measures are necessary. Cloud service providers already have an extensive suite of security measures designed not only to detect malicious and fraudulent activity but also protect their infrastructure. In addition, providers collect information related to a customer’s identity when accounts are created. They also continue to gather identity information on customers for billing and management purposes.

The actions proposed in the EO would not significantly enhance the already substantial security measures undertaken by U.S. cloud providers. Likewise, they would do little to deter or defeat malevolent actors, harm innovation in cloud technologies, and threaten the privacy of millions of Americans. Before the Department of Commerce proceeds to finalize a regulation in response to the EO, it should take a step back, carefully consider the potential unintended consequences of its proposal, and work more closely with industry in order to develop a regulation that reflects reality and can be effective against sophisticated threats.

No comments: