What was on Donald Trump's mind during his last days in office? BLM? QAnon? Fox News? Deutsche Bank? Impeachment? IaaS? As multiple choice questions go, your average pundit may not have picked the latter, but cloud Infrastructure-as-a-Service was among the outgoing President's priorities as he left the White House for Florida -- signing a last-minute executive order demanding more stringent KYC rules for cloud providers.
"Foreign actors use United States IaaS products for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for United States officials to track and obtain information through legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities; foreign resellers of United States IaaS products make it easier for foreign actors to access these products and evade detection" he wrote.
Trump wasn't entirely wrong. Amazon’s CloudFront was used last year to host Command & Control (C&C) infrastructure for a ransomware campaign that successfully hit at least two multinational companies in the food and services sectors, according to a report by Symantec. Azure has also been used to store malware behind phishing campaigns.
The Trump executive order explicitly calls for the US to "ensure that providers offering [US] IaaS products verify the identity of persons obtaining an IaaS account for the provision of these products and maintain records of those transactions. In appropriate circumstances, to further protect against malicious cyber-enabled activities, the US must also limit certain foreign actors’ access to US IaaS products."
The order's finer details arguably look unworkable. Attackers could just use non US-based cloud infrastructure. (There's no shortage of dubious hosts to handle C2 infrastructure if it works). Requiring (as the order does) "Internet Protocol addresses used for access or administration" is unlikely to help much given widespread VPN use/other IP-masking tools. Cloud providers could no doubt keep working harder to ensure their infrastructure isn't used to deliver malicious campaigns and improve KYC. Heavy-handed executive orders are unlikely to help. As The Register notes, it is on the Biden administration whether anything comes of the order.
Watch this space.