Trump mandates closer cooperation between government and cloud providers to fight criminals

The twice-impeached President's latest executive order requires cloud providers like AWS, Microsoft and Google to maintain records on overseas customers

Outgoing President Donald Trump has signed one of his last executive orders, ordering American cloud providers to maintain records on foreign clients - the idea being that this will help if the authorities need to track cyber criminals.

Names, physical addresses, email addresses, national ID numbers, means and sources of payment, phone numbers and IP addresses used to access services are among the information that must be retained.

The executive order itself - and a letter Trump sent to House Speaker Nancy Pelosi and Vice President Mike Pence - refers to infrastructure-as-a-service (IaaS), but goes on to explain that the definition includes other cloud services.

'The term [IaaS] means any product or service offered to a consumer, including complimentary or 'trial' offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications.'

It adds that the term includes managed, unmanaged, virtualised and dedicated products and services.

Trump's letter states:

'To address these [cyber] threats, to deter foreign malicious cyber actors' use of United States IaaS products, and to assist in the investigation of transactions involving foreign malicious cyber actors, the United States must ensure that providers offering United States IaaS products verify the identity of persons obtaining an IaaS account ("Account") for the provision of these products and maintain records of those transactions. In appropriate circumstances, to further protect against malicious cyber-enabled activities, the United States must also limit certain foreign actors' access to United States IaaS products. Further, the United States must encourage more robust cooperation among United States IaaS providers, including by increasing voluntary information sharing, to bolster efforts to thwart the actions of foreign malicious cyber actors.'

When this order takes effect, the Secretary of Commerce (currently Wilbur Ross - for at least a few more hours) will be able to restrict access to US cloud services in a country if that country is found to have 'any significant number of foreign persons offering United States IaaS products that are used for malicious cyber-enabled activities'. The Secretary will also be able to limit access on an individual basis.

The executive order will come in to force in 180 days (19th July). In 120 days (20th May), the US government will consult with US cloud providers around how to increase information sharing between the two parties, as well as between cloud providers themselves, to 'deter the abuse of US IaaS products'. A report and recommendations will be presented to President Biden in 240 days (17th September).