[House Document 117-11]
[From the U.S. Government Publishing Office]
117th Congress, 1st Session - - - - - - - - - - House Document 117-11
TAKING ADDITIONAL STEPS TO ADDRESS THE NATIONAL EMERGENCY WITH RESPECT
TO SIGNIFICANT MALICIOUS CYBER-ENABLED ACTIVITIES
__________
COMMUNICATION
from
THE PRESIDENT OF THE UNITED STATES
transmitting
ADDITIONAL STEPS TO ADDRESS THE NATIONAL EMERGENCY WITH RESPECT TO
SIGNIFICANT MALICIOUS CYBER-ENABLED ACTIVITIES AS DECLARED IN EXECUTIVE
ORDER 13694 OF APRIL 1, 2015, PURSUANT TO 50 U.S.C. 1703(b); PUBLIC LAW
95-223, SEC. 204(b); (91 STAT. 1627) AND 50 U.S.C. 1641(b); PUBLIC LAW
94-412, SEC. 401(b); (90 STAT. 1257)
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
January 21, 2021.--Referred to the Committee on Foreign Affairs and
ordered to be printed
_________
U.S. GOVERNMENT PUBLISHING OFFICE
19-011 WASHINGTON : 2021
The White House,
Washington, January 19, 2021.
Hon. Nancy Pelosi,
Speaker of the House of Representatives,
Washington, DC.
Dear Madam Speaker: Pursuant to the International Emergency
Economic Powers Act (50 U.S.C. 1701 et seq.) (IEEPA), the
National Emergencies Act (50 U.S.C. 1601 et seq.), and section
301 of title 3, United States Code, I hereby report that I have
issued an Executive Order declaring additional steps to be
taken concerning the national emergency with respect to
significant malicious cyber enabled activities declared in
Executive Order 13694 of April 1, 2015 (Blocking the Property
of Certain Persons Engaging in Significant Malicious Cyber-
enabled activities), as amended, to address the use of United
States Infrastructure as a Service (IaaS) products by foreign
malicious cyber actors.
Foreign actors use United States IaaS products for a
variety of tasks in carrying out malicious cyber-enabled
activities, which makes it extremely difficult for United
States officials to track and obtain information through legal
process before these foreign actors transition to replacement
infrastructure and destroy evidence of their prior activities;
foreign resellers of United States IaaS products make it easier
for foreign actors to access these products and evade
detection. This order provides authority to impose record-
keeping obligations with respect to foreign transactions.
To address these threats, to deter foreign malicious cyber
actors' use of United States IaaS products, and to assist in
the investigation of transactions involving foreign malicious
cyber actors, the United States must ensure that providers
offering United States IaaS products verify the identity of
persons obtaining an IaaS account (``Account'') for the
provision of these products and maintain records of those
transactions. In appropriate circumstances, to further protect
against malicious cyber-enabled activities, the United States
must also limit certain foreign actors' access to United States
IaaS products. Further, the United States must encourage more
robust cooperation among United States IaaS providers,
including by increasing voluntary information sharing, to
bolster efforts to thwart the actions of foreign malicious
cyber actors.
I have delegated to the Secretary of Commerce, in
consultation with the Secretary of Defense, the Attorney
General, the Secretary of Homeland Security, and the Director
of National Intelligence, to exempt any United States IaaS
provider, or any specific type of Account or lessee, from the
requirements of any regulation issued pursuant to this section.
Such standards and procedures may include a finding by the
Secretary that a provider, Account, or lessee complies with
security best practices to otherwise deter abuse of IaaS
products.
The heads of all executive departments and agencies are
directed to take all appropriate measures within their
authority to implement the provisions of the Executive Order.
I am enclosing a copy of the Executive Order I have issued.
Sincerely,
Donald J. Trump.
Executive Order
----------
Taking Additional Steps To Address the National Emergency With Respect
to Significant Malicious Cyber-Enabled Activities
By the authority vested in me as President by the
Constitution and the laws of the United States of America,
including the International Emergency Economic Powers Act (50
U.S.C. 1701 et seq.) (IEEPA), the National Emergencies Act (50
U.S.C. 1601 et seq.) (NEA), and section 301 of title 3, United
States Code:
I, DONALD J. TRUMP, President of the United States of
America, find that additional steps must be taken to deal with
the national emergency related to significant malicious cyber-
enabled activities declared in Executive Order 13694 of April
1, 2015 (Blocking the Property of Certain Persons Engaging in
Significant Malicious Cyber-Enabled Activities), as amended, to
address the use of United States Infrastructure as a Service
(IaaS) products by foreign malicious cyber actors. IaaS
products provide persons the ability to run software and store
data on servers offered for rent or lease without
responsibility for the maintenance and operating costs of those
servers. Foreign malicious cyber actors aim to harm the United
States economy through the theft of intellectual property and
sensitive data and to threaten national security by targeting
United States critical infrastructure for malicious cyber-
enabled activities. Foreign actors use United States IaaS
products for a variety of tasks in carrying out malicious
cyber-enabled activities, which makes it extremely difficult
for United States officials to track and obtain information
through legal process before these foreign actors transition to
replacement infrastructure and destroy evidence of their prior
activities; foreign resellers of United States IaaS products
make it easier for foreign actors to access these products and
evade detection. This order provides authority to impose
record-keeping obligations with respect to foreign
transactions. To address these threats, to deter foreign
malicious cyber actors' use of United States IaaS products, and
to assist in the investigation of transactions involving
foreign malicious cyber actors, the United States must ensure
that providers offering United States IaaS products verify the
identity of persons obtaining an IaaS account (``Account'') for
the provision of these products and maintain records of those
transactions. In appropriate circumstances, to further protect
against malicious cyber-enabled activities, the United States
must also limit certain foreign actors' access to United States
IaaS products. Further, the United States must encourage more
robust cooperation among United States IaaS providers,
including by increasing voluntary information sharing, to
bolster efforts to thwart the actions of foreign malicious
cyber actors.
Accordingly, I hereby order:
Section 1. Verification of Identity. Within 180 days of the
date of this order, the Secretary of Commerce (Secretary) shall
propose for notice and comment regulations that require United
States IaaS providers to verify the identity of a foreign
person that obtains an Account. These regulations shall, at a
minimum:
(a) set forth the minimum standards that United States IaaS
providers must adopt to verify the identity of a foreign person
in connection with the opening of an Account or the maintenance
of an existing Account, including:
(i) the types of documentation and procedures
required to verify the identity of any foreign person
acting as a lessee or sub-lessee of these products or
services;
(ii) records that United States IaaS providers must
securely maintain regarding a foreign person that
obtains an Account, including information establishing:
(A) the identity of such foreign person and
the person's information, including name,
national identification number, and address;
(B) means and source of payment (including
any associated financial institution and other
identifiers such as credit card number, account
number, customer identifier, transaction
identifiers, or virtual currency wallet or
wallet address identifier);
(C) electronic mail address and telephonic
contact information, used to verify a foreign
person's identity; and
(D) Internet Protocol addresses used for
access or administration and the date and time
of each such access or administrative action,
related to ongoing verification of such foreign
person's ownership of such an Account; and
(iii) methods for limiting all third-party access to
the information described in this subsection, except
insofar as such access is otherwise consistent with
this order and allowed under applicable law;
(b) take into consideration the type of Account maintained
by United States IaaS providers, methods of opening an Account,
and types of identifying information available to accomplish
the objectives of identifying foreign malicious cyber actors
using any such products and avoiding the imposition of an undue
burden on such providers; and
(c) permit the Secretary, in accordance with such standards
and procedures as the Secretary may delineate and in
consultation with the Secretary of Defense, the Attorney
General, the Secretary of Homeland Security, and the Director
of National Intelligence, to exempt any United States IaaS
provider, or any specific type of Account or lessee, from the
requirements of any regulation issued pursuant to this section.
Such standards and procedures may include a finding by the
Secretary that a provider, Account, or lessee complies with
security best practices to otherwise deter abuse of IaaS
products.
Sec. 2. Special Measures for Certain Foreign Jurisdictions
or Foreign Persons. (a) Within 180 days of the date of this
order, the Secretary shall propose for notice and comment
regulations that require United States IaaS providers to take
any of the special measures described in subsection (d) of this
section if the Secretary, in consultation with the Secretary of
State, the Secretary of the Treasury, the Secretary of Defense,
the Attorney General, the Secretary of Homeland Security, the
Director of National Intelligence and, as the Secretary deems
appropriate, the heads of other executive departments and
agencies (agencies), finds:
(i) that reasonable grounds exist for concluding that
a foreign jurisdiction has any significant number of
foreign persons offering United States IaaS products
that are used for malicious cyber-enabled activities or
any significant number of foreign persons directly
obtaining United States IaaS products for use in
malicious cyber-enabled activities, in accordance with
subsection (b) of this section; or
(ii) that reasonable grounds exist for concluding
that a foreign person has established a pattern of
conduct of offering United States IaaS products that
are used for malicious cyber-enabled activities or
directly obtaining United States IaaS products for use
in malicious cyber-enabled activities.
(b) In making findings under subsection (a) of this section
on the use of United States IaaS products in malicious cyber-
enabled activities, the Secretary shall consider any
information the Secretary determines to be relevant, as well as
information pertaining to the following factors:
(i) Factors related to a particular foreign
jurisdiction, including:
(A) evidence that foreign malicious cyber
actors have obtained United States IaaS
products from persons offering United States
IaaS products in that foreign jurisdiction,
including whether such actors obtained such
IaaS products through Reseller Accounts;
(B) the extent to which that foreign
jurisdiction is a source of malicious
cyberenabled activities; and
(C) Whether the United States has a mutual
legal assistance treaty with that foreign
jurisdiction, and the experience of United
States law enforcement officials and regulatory
officials in obtaining information about
activities involving United States IaaS
products originating in or routed through such
foreign jurisdiction; and
(ii) Factors related to a particular foreign person,
including:
(A) the extent to which a foreign person uses
United States IaaS products to conduct,
facilitate, or promote malicious cyber-enabled
activities;
(B) the extent to which United States IaaS
products offered by a foreign person are used
to facilitate or promote malicious cyber-
enabled activities;
(C) the extent to which United States IaaS
products offered by a foreign person are used
for legitimate business purposes in the
jurisdiction; and
(D) the extent to which actions short of the
imposition of special measures pursuant to
subsection (d) of this section are sufficient,
with respect to transactions involving the
foreign person offering United States IaaS
products, to guard against malicious cyber-
enabled activities.
(c) In selecting which special measure or measures to take
under this section, the Secretary shall consider:
(i) whether the imposition of any special measure
would create a significant competitive disadvantage,
including any undue cost or burden associated with
compliance, for United States IaaS providers;
(ii) the extent to which the imposition of any
special measure or the timing of the special measure
would have a significant adverse effect on legitimate
business activities involving the particular foreign
jurisdiction or foreign person; and
(iii) the effect of any special measure on United
States national security, law enforcement
investigations, or foreign policy.
(d) The special measures referred to in subsections (a),
(b), and (c) of this section are as follows:
(i) Prohibitions or Conditions on Accounts within
Certain Foreign Jurisdictions: The Secretary may
prohibit or impose conditions on the opening or
maintaining with any United States IaaS provider of an
Account, including a Reseller Account, by any foreign
person located in a foreign jurisdiction found to have
any significant number of foreign persons offering
United States IaaS products used for malicious cyber-
enabled activities, or by any United States IaaS
provider for or on behalf of a foreign person; and
(ii) Prohibitions or Conditions on Certain Foreign
Persons: The Secretary may prohibit or impose
conditions on the opening or maintaining in the United
States of an Account, including a Reseller Account, by
any United States IaaS provider for or on behalf of a
foreign person, if such an Account involves any such
foreign person found to be offering United States IaaS
products used in malicious cyber-enabled activities or
directly obtaining United States IaaS products for use
in malicious cyber-enabled activities.
(e) The Secretary shall not impose requirements for United
States IaaS providers to take any of the special measures
described in subsection (d) of this section earlier than 180
days following the issuance of final regulations described in
section 1 of this order.
Sec. 3. Recommendations for Cooperative Efforts to Deter
the Abuse of United States IaaS Products. (a) Within 120 days
of the date of this order, the Attorney General and the
Secretary of Homeland Security, in coordination with the
Secretary and, as the Attorney General and the Secretary of
Homeland Security deem appropriate, the heads of other
agencies, shall engage and solicit feedback from industry on
how to increase information sharing and collaboration among
IaaS providers and between IaaS providers and the agencies to
inform recommendations under subsection (b) of this section.
(b) Within 240 days of the date of this order, the Attorney
General and the Secretary of Homeland Security, in coordination
with the Secretary, and, as the Attorney General and Secretary
of Homeland Security deem appropriate, the heads of other
agencies, shall develop and submit to the President a report
containing recommendations to encourage:
(i) voluntary information sharing and collaboration,
among United States IaaS providers; and
(ii) information sharing between United States IaaS
providers and appropriate agencies, including the
reporting of incidents, crimes, and other threats to
national security, for the purpose of preventing
further harm to the United States.
(c) The report and recommendations provided under
subsection (b) of this section shall consider existing
mechanisms for such sharing and collaboration, including the
Cybersecurity Information Sharing Act (6 U.S.C. 1503 et seq.),
and shall identify any gaps in current law, policy, or
procedures. The report shall also include:
(i) information related to the operations of foreign
malicious cyber actors, the means by which such actors
use IaaS products within the United States, malicious
capabilities and tradecraft, and the extent to which
persons in the United States are compromised or
unwittingly involved in such activity;
(ii) recommendations for liability protections beyond
those in existing law that may be needed to encourage
United States IaaS providers to share information among
each other and with the United States Government; and
(iii) recommendations for facilitating the detection
and identification of Accounts and activities that
involve foreign malicious cyber actors.
Sec. 4. Ensuring Sufficient Resources for Implementation.
The Secretary, in consultation with the heads of such agencies
as the Secretary deems appropriate, shall identify funding
requirements to support the efforts described in this order and
incorporate such requirements into its annual budget
submissions to the Office of Management and Budget.
Sec. 5. Definitions. For the purposes of this order, the
following definitions apply:
(a) The term ``entity'' means a partnership, association,
trust, joint venture, corporation, group, subgroup, or other
organization;
(b) The term ``foreign jurisdiction'' means any country,
subnational territory, or region, other than those subject to
the civil or military jurisdiction of the United States, in
which any person or group of persons exercises sovereign de
facto or de jure authority, including any such country,
subnational territory, or region in which a person or group of
persons is assuming to exercise governmental authority whether
such a person or group of persons has or has not been
recognized by the United States;
(c) The term ``foreign person'' means a person that is not
a United States person;
(d) The term ``Infrastructure as a Service Account'' or
``Account'' means a formal business relationship established to
provide IaaS products to a person in which details of such
transactions are recorded.
(e) The term ``Infrastructure as a Service Product'' means
any product or service offered to a consumer, including
complimentary or ``trial'' offerings, that provides processing,
storage, networks, or other fundamental computing resources,
and with which the consumer is able to deploy and run software
that is not predefined, including operating systems and
applications. The consumer typically does not manage or control
most of the underlying hardware but has control over the
operating systems, storage, and any deployed applications. The
term is inclusive of ``managed'' products or services, in which
the provider is responsible for some aspects of system
configuration or maintenance, and ``unmanaged'' products or
services, in which the provider is only responsible for
ensuring that the product is available to the consumer. The
term is also inclusive of ``virtualized'' products and
services, in which the computing resources of a physical
machine are split between virtualized computers accessible over
the Internet (e.g., ``virtual private servers''), and
``dedicated'' products or services in which the total computing
resources of a physical machine are provided to a single person
(e.g., ``bare-metal'' servers);
(f) The term ``malicious cyber-enabled activities'' refers
to activities, other than those authorized by or in accordance
with United States law that seek to compromise or impair the
confidentiality, integrity, or availability of computer,
information, or communications systems, networks, physical or
virtual infrastructure controlled by computers or information
systems, or information resident thereon;
(g) The term ``person'' means an individual or entity;
(h) The term ``Reseller Account'' means an Infrastructure
as a Service Account established to provide IaaS products to a
person who will then offer those products subsequently, in
whole or in part, to a third party.
(i) The term ``United States Infrastructure as a Service
Product'' means any Infrastructure as a Service Product owned
by any United States person or operated within the territory of
the United States of America;
(j) The term ``United States Infrastructure as a Service
Provider'' means any United States Person that offers any
Infrastructure as a Service Product;
(k) The term ``United States person'' means any United
States citizen, lawful permanent resident of the United States
as defined by the Immigration and Nationality Act, entity
organized under the laws of the United States or any
jurisdiction within the United States (including foreign
branches), or any person located in the United States;
Sec. 6. Amendment to Reporting Authorizations. Section (9)
of Executive Order 13694, as amended, is further amended to
read as follows:
``Sec. 9. The Secretary of the Treasury, in consultation
with the Secretary of State, the Attorney General, and the
Secretary of Commerce, is hereby authorized to submit the
recurring and final reports to the Congress on the national
emergency declared in this order, consistent with section
401(c) of the NEA (50 U.S.C. 1641(c)) and section 204(c) of
IEEPA (50 U.S.C. 1703(c)).''
Sec. 7. General Provisions. (a) The Secretary, in
consultation with the heads of such other agencies as the
Secretary deems appropriate, is hereby authorized to take such
actions, including the promulgation of rules and regulations,
and employ all powers granted to the President by IEEPA as may
be necessary to carry out the purposes of this order. The
Secretary may redelegate any of these functions to other
officers within the Department of Commerce, consistent with
applicable law. All departments and agencies of the United
States Government are hereby directed to take all appropriate
measures within their authority to carry out the provisions of
this order.
(b) Nothing in this order shall be construed to impair or
otherwise affect:
(i) the authority granted by law to an executive
department or agency, or the head thereof; or
(ii) the functions of the Director of the Office of
Management and Budget relating to budgetary,
administrative, or legislative proposals.
(c) This order shall be implemented consistent with
applicable law and subject to the availability of
appropriations.
(d) Nothing in this order prohibits or otherwise restricts
authorized intelligence, military, law enforcement, or other
activities in furtherance of national security or public safety
activities.
(e) This order is not intended to, and does not, create any
right or benefit, substantive or procedural, enforceable at law
or in equity by any party against the United States, its
departments, agencies, or entities, its officers, employees, or
agents, or any other person.
Donald J. Trump.
The White House, January 19, 2021.
[all]