In one of the final acts of the Trump administration, the White House yesterday directed the Commerce Department to issue regulations requiring Infrastructure as a Service (IaaS) providers to take steps to verify the identities of foreign persons using their services. According to the order, foreign hackers are increasingly using US cloud infrastructure to conduct malicious activities. By using cloud infrastructure—which by its nature is meant to be agile—hackers can set up virtual machines quickly, use them to launch attacks, and then erase the virtual machines and move their operations elsewhere. US law enforcement faces a whack-a-mole problem. The problem is made worse when one party buys IaaS services and resells them to another party, who resells them to yet another party, making it hard to trace who did what and when. The proposed regulations would aim to mitigate this challenge by forcing IaaS providers to verify who they’re dealing with and keep records of those customers.
There are practical problems to be sorted out. IaaS providers are only meant to verify the identifies of foreign customers, but does this effectively force them to verify everyone so that they know who’s foreign and who isn’t? Are the problems posited by the order real? Will verifying identities actually help? Is this just a political parting shot at Big Tech?
Beyond those practical questions, there’s a theoretical question: what exactly is this order? The order purports to draw authority under IEEPA, the US’s main law on economic sanctions. But the mandate is pretty far from the paradigmatic exercise of the President’s sanctions power (and is sure to face serious legal challenges as a result). It’s really about imposing a new regulatory requirement on a particular domestic area of commerce. So if it’s not sanctions, what is it?
It's anti-cloud laundering.
For years, banks have had to deal with regulations requiring them to verify the identifies of people using their services and to make sure that the banks’ services weren’t being used for nefarious purposes. There are entire bodies of law around this: anti-money laundering (AML), know-your-customer rules (KYC), and countering the financing of terrorism (CFT) law. These laws require banks to verify customer identities precisely to hinder criminals from playing shell games with bank accounts and moving money around without accountability. But for the most part, these rules apply only to banks. There aren’t many analogous laws that specifically require other business to take affirmative steps to prevent services from being used by bad actors.
The rules proposed by this Executive Order are basically just like anti-money laundering rules, except they apply to certain types of cloud providers rather than banks, and they aim to prevent criminals from shuffling around their virtual presence rather than money. Otherwise, the proposed rules attack a closely analogous problem to anti-money laundering using a closely analogous strategy.
Anti-cloud laundering may or may not be a good idea, but it certainly represents a totally new area of law. And, if so, there are strong arguments that this isn’t an area of law that can be created by a unilateral executive order, and certainly not one purporting to be the exercise of the sanctions power.
Foreign actors use United States IaaS products for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for United States officials to track and obtain information through legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities; foreign resellers of United States IaaS products make it easier for foreign actors to access these products and evade detection. This order provides authority to impose record-keeping obligations with respect to foreign transactions.