Page:Executive Order 13984.pdf/1

Rh

 Executive Order 13984 of January 19, 2021

By the authority vested in me as President by the Constitution and the laws of the United States of America, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (IEEPA), the National Emergencies Act (50 U.S.C. 1601 et seq.) (NEA), and section 301 of title 3, United States Code:

I, DONALD J. TRUMP, President of the United States of America, find that additional steps must be taken to deal with the national emergency related to significant malicious cyber-enabled activities declared in Executive Order 13694 of April 1, 2015 (Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities), as amended, to address the use of United States Infrastructure as a Service (IaaS) products by foreign malicious cyber actors. IaaS products provide persons the ability to run software and store data on servers offered for rent or lease without responsibility for the maintenance and operating costs of those servers. Foreign malicious cyber actors aim to harm the United States economy through the theft of intellectual property and sensitive data and to threaten national security by targeting United States critical infrastructure for malicious cyber-enabled activities. Foreign actors use United States IaaS products for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for United States officials to track and obtain information through legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities; foreign resellers of United States IaaS products make it easier for foreign actors to access these products and evade detection. This order provides authority to impose record-keeping obligations with respect to foreign transactions. To address these threats, to deter foreign malicious cyber actors’ use of United States IaaS products, and to assist in the investigation of transactions involving foreign malicious cyber actors, the United States must ensure that providers offering United States IaaS products verify the identity of persons obtaining an IaaS account (“Account”) for the provision of these products and maintain records of those transactions. In appropriate circumstances, to further protect against malicious cyber-enabled activities, the United States must also limit certain foreign actors’ access to United States IaaS products. Further, the United States must encourage more robust cooperation among United States IaaS providers, including by increasing voluntary information sharing, to bolster efforts to thwart the actions of foreign malicious cyber actors.

Accordingly, I hereby order:

Section 1. Verification of Identity. Within 180 days of the date of this order, the Secretary of Commerce (Secretary) shall propose for notice and comment regulations that require United States IaaS providers to verify the identity of a foreign person that obtains an Account. These regulations shall, at a minimum:

(a) set forth the minimum standards that United States IaaS providers must adopt to verify the identity of a foreign person in connection with the opening of an Account or the maintenance of an existing Account, including: