Trump Hates Cloud, Because China Cyber?

Hidden among the former president’s final executive orders was a juicy time bomb set under American cloud computing companies. Donald Trump declared that outfits such as Amazon Web Services and Microsoft Azure must submit to a pile of new regulations and record-keeping.

Not only that, but the U.S. government will soon have the power to shut down a cloud tenant if it’s operated by a proscribed country, region or individual. The idea is to help protect the Homeland against cyberattacks.

At least, that is, unless President Biden decides to click Edit|Undo. In today’s SB Blogwatch, we can smell the mission-creep a mile away.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: We go ga-ga for the Anthem.

Parting Shot at IaaS

Remember the dog days of 2020? Steven Overly, Eric Geller and Nahal Toosi spoke to deep-throat secret sources—“White House drafts executive order”:

 The Trump administration is weighing an executive order that would let the government restrict the international operations of U.S. cloud computing companies … in an effort to protect against foreign cyberattacks, people familiar with the matter [say]. The draft order is designed to deter malicious foreign actors from using cloud service providers to quickly and anonymously conduct cyberattacks, according to three people familiar with the order.

It would also give the U.S. another mechanism to keep the heat on China. … Senior agency officials … aim to have it on Trump’s desk before the end of the year, one U.S. official confirmed. … “This isn’t something that would be routinely used. It would be an extraordinary measure,” the official said. “But it’s there also as a leverage point in bilateral relations.”

The U.S. official said the executive order is not prompted by China alone, but that the government holds specific concerns about Chinese hackers and cloud companies. [It] would be one of many policies Biden will soon be tasked with deciding whether to continue.

So what happened? Alexandra Alper notes this last-minute EO, hidden among a pile of others—“Trump seeks to curb foreign cyber meddling on last day in office”:

Trump has signed an executive order aimed at thwarting foreign use of cloud computing products for malicious cyber operations. [It] gives the Commerce Department authority to write rules to bar transactions with foreigners in cloud computing products or services, if a foreigner uses them for cyber attacks.

Officials have been working on the directive for nearly two years [said] a senior administration official. … Biden’s transition team did not immediately respond to a request for comment.

I dare say they have one or two other things to worry about. Chris Duckett walks like a journalist—“Trump decrees American cloud providers need to maintain records on foreign clients”:

 Among the information to be retained, [they] are expected to keep names, physical and email addresses, national identification numbers, means and sources of payment … phone numbers, and IP addresses used to access services each time services are accessed.

The order gives the Secretary of Commerce the ability to restrict access to US cloud services [from a region] or limit the access of certain foreigners. This section and the record-keeping obligations will kick in after 180 days.

Sez who? Former President Donald J. Trump wrote this “Letter to the Speaker of the House … and the President of the Senate”:

 Pursuant to the International Emergency Economic Powers Act … the National Emergencies Act … and section 301 of title 3 … I hereby [declare] additional steps to be taken concerning the national emergency with respect to significant malicious cyber enabled activities.

Foreign actors use United States IaaS products for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for United States officials to track and obtain information through legal process. … To address these threats, to deter foreign malicious cyber actors’ use of United States IaaS products, and to assist in the investigation … the United States must ensure that providers … verify the identity of persons obtaining … the provision of these products.

But Patrick Howell O’Neill thinks “Trump’s last-minute cyber order could have limited impact”:

 The stated aim is to help prevent hacking operations against the United States, although the timing and scope of the order mean it is surrounded by uncertainty. … The timing of the executive order—which was announced on the evening … of Trump’s last full day in office—is exceptional.

Whether rules like this would actually stop foreign hackers in practice is a source of debate. And since the order was signed so late … the question of whether it lasts in its current form falls to Joe Biden’s incoming administration. Any of Trump’s executive orders could be revoked or tweaked by the new president, who is expected to sign a wave of such orders quickly as he comes into office.

So hexadec is curious:

 [I’m] curious to see how the new administration will handle this. They will need to gather personal identity information to determine if you are a US citizen which is scary.

On the other hand, they do not define US IaaS very well. So I am curious if GCP/AWS will be exempt since I think they are technically shell companies registered in Jersey or Isle of Man or offshored on paper.

Acceptable? I’ve got love for SumDog:

 I was born in the 80s. Trump is literally the best president I’ve had in my lifetime. He started no new wars, created a great economy and wanted to end the lockdowns and get things back on track. … I say this unironically.

TL;DR? sneak offers this imprecise precis:

 If you want hosting in the US, you can show strongly identity-linked US bank/card information, or, if you don’t have one of those, strongly identity-linked ID documents. … Publishing anonymously should be something the government is actively trying to protect, not criminalize.

Meanwhile, roaming the lands invictusvoyd loves Linus: [You’re fired—Ed.]

 A lot of infrastructure runs on an OS initiated by a foreigner.

And Finally:

Gaga: “None of that Jazz nonsense.”

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Backbone Campaign (cc:by)

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of … Read More