TL;DR: The Executive Order’s proposed know your customer-style and information sharing regulations are more geared towards addressing intellectual property piracy than thwarting a SolarWinds style attack. The required customer contact information collection will make the post-attack and post-breach legal process easier but it will not prevent or deter an attack that utilized stolen infrastructure.
Shortly after 9pm eastern on Tuesday evening, amid the flurry of late-night activity on the eve of the end of President Trump’s term in office, the White House issued an Executive Order heard all around the cybersecurity and information security space – “Executive Order on Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities”. Initial concern centered around the seemingly broad definition of Infrastructure as a Service (IaaS) and the compliance reporting obligations required from companies as a result of the Executive Order. Setting aside its flashy name (Significant! Malicious! Cyber-Enabled!), the Executive Order instead addresses a much more mundane threat – intellectual property theft – by requiring U.S. based cloud infrastructure providers to drop anonymous, foreign threat actor accounts.
The Executive Order is a regulatory play in three main acts best described as: Get to Know Your Customers (Section 1), Blocking Bad Foreign Actors (Section 2), and Sharing the Bad News (Section 3). Extending “Know Your Customer” (KYC) requirements to IaaS providers will lead to a shift in implementation of single-sign on (SSO) practices but will not prevent foreign-based attacks.
The financial industry has long dealt with KYC type requirements. Extension of the same for IaaS providers will increase costs for smaller IaaS providers and leave larger companies with a competitive advantage. Collecting and verifying customer information, the safe storage of records rich in personal data, and hiring regulatory compliance teams gets to be expensive and Big Tech companies are better equipped to absorb those costs. Smaller companies whose services fall under the Executive Order’s broad “IaaS” definition will have to adapt and outsource compliance. One risk mitigation option is to require all new and existing customers to utilize SSO through Google, Apple, or Amazon accounts. These SSO accounts already link contact and payment information to an account holder and it shifts the risk of verifying and maintaining the information to the Big Tech company. Unintended costs of increased SSO usage – additional data analytics for Big Tech and a higher value for stolen credentials.
Spotlight on Preventing Hollywood IP Attacks not SolarWinds Attacks
Implementing KYC requirements for IaaS providers will not prevent foreign-based malicious attacks that utilize stolen architecture (including passwords) of vetted and verified customers such as SolarWinds (for additional reading: https://us-cert.cisa.gov/ncas/alerts/aa20-352a). IaaS providers confirmed SolarWinds “identity” years ago, the malicious actors wouldn’t have been deterred by a KYC requirement. But requiring verification of contact information for an account holder (rather than an anonymous account) will make it easier for companies and law enforcement to prosecute intellectual property theft such as illegally streamed content. Prosecuting or suing providers of illegally streamed content requires contact information not found with anonymously created accounts.
While it may be easy to dismiss offhand, illegally distributed copyrighted material costs the U.S. economy (particularly – Hollywood) upwards of $30 billion a year according to reports.
FBI Director Wray describes economic losses linked to Chinese-sponsored intellectual property thefts as “one of the largest transfers of wealth in human history.” More
Far from a last-minute scramble, the Executive Order echoes themes and concerns long raised by Big Tech, Hollywood, and law enforcement. A deeper read of its text, alongside recent legislative and policy initiatives, paints a broader picture of the uphill battle to protect intellectual property, encourage IP theft information sharing, and adding teeth to post-breach enforcement. Rumors of an executive order limiting U.S. based cloud service providers in certain foreign jurisdictions were reported in early December by Steven Overly and Eric Geller at Politico. and Ashley Gold with Axios.
The common thread: protecting intellectual property breaches out of certain foreign countries by adding bite to the legal process. The Executive Order’s introduction paragraph outlines its goal of protecting against thefts of intellectual property by foreign actors and the difficulties of tracking and obtaining information in the legal process. Read alongside the Protecting Lawful Streaming Act provisions included in the coronavirus relief package passed at the end of December making the intellectual property theft of illegally streamed copyrighted material a felony and the picture begins to take shape.
Information sharing of malicious threat actor tactics, techniques, and procedures (TTPs) amongst industry and government to prevent cyber attacks generally already exists. The information sharing requirement language in Section 3 of the Executive Order, along with the express inclusion of activities that “seek to compromise or impair the confidentiality, integrity, or availability of ….information…” within the definition of “malicious cyber-enabled activities” in Section 5(f), instead reflect long-standing calls for expanding foreign actor intellectual property TTPs information sharing, particularly with respect to China (see, for example the 2013 IP Commission Report)
Implementing KYC record-keeping obligations as a means of deterrence with respect to foreign transactions makes more sense when applied to the high costs of and challenges in minimizing intellectual property breaches linked to anonymous or foreign-based actors.
Whether the Executive Order’s proposals are properly authorized, will be overturned by the incoming administration, or face other legal hurdles is an analysis post for another day. Also worth its own commentary and analysis: the logic behind the magic wand-waving exemption of any IaaS provider, account, or lessee powers granted to the Commerce Secretary under Section 1(c) of the Executive Order. Regardless, the 180-day commentary clock is ticking and the covered policy issues are sure to arise in other avenues. Comments and substantive feedback from industry should focus on tightening definitions and acknowledging the true goals and costs of the proposals highlighted in the Executive Order.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.