October 25, 2021

WASHINGTON – Today, global tech trade association ITI recommended that the U.S. Department of Commerce further leverage public-private cooperation, existing policies and international partnerships to better mitigate abusive activities on Infrastructure as a Service (IaaS) platforms and avoid undermining U.S. competitiveness. In comments to the Department’s advanced notice of proposed rulemaking (ANPRM), which is associated with EO 13984 Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities, ITI highlighted the potential for duplication with existing measures and key privacy and international competitiveness concerns surrounding potential requirements stemming from the EO.

“We strongly support the U.S. government on the importance of addressing these threats, and our members take seriously their responsibility to protect against malicious actors’ use of their services to perpetrate crimes and other malicious activities,” ITI wrote in its comments. “Given the privacy concerns the collection and retention requirements raise, as well as the way in which ‘special measures’ authorities may serve to undermine the competitiveness of U.S. cloud service providers vis-à-vis other cloud service providers operating globally, we encourage Commerce to seriously consider whether this rulemaking will be effective in achieving the underlying security objectives. Instead of levying additional requirements, we encourage Commerce to engage with the private sector more robustly through Section 3 of the Executive Order to develop appropriately calibrated solutions to the identified challenges, and to coordinate the implementation of this rulemaking with a further revised interim final rule.”

Section 3 of EO requires the U.S. Attorney General and Secretary of Homeland Security, in coordination with the Commerce Secretary, to engage and solicit feedback from industry on how to increase information sharing and collaboration among and between IaaS providers and U.S. government agencies to inform recommendations to encourage such voluntary information sharing, including related to foreign malicious cyber actors and as related to necessary liability protections.

Further, ITI’s comments highlight providers’ existing best practices to mitigate fraud and abuse on platforms, including through activities such as proactive monitoring and threat detection, built-in protections against bad behavior, behavior-based risk analysis, and expeditious incident response.

In its comments, ITI recommended that the Commerce Department:

  • Leverage alternative approaches to advance the desired outcome of reducing the misuse of IaaS offerings and consider mechanisms that are already in place, such as the sanctions the Treasury can impose on cyber criminals;
  • Consider that creating additional requirements for collecting data on legitimate users may not dissuade malicious actors and that such requirements may actually have unintended consequences, such as undermining U.S. competitiveness; 
  • Leverage existing multilateral agreements, such as the Budapest Convention on Cybercrime, to ensure that cyber criminals are deterred and prosecuted;
  • Consider attestation as an appropriate way to determine compliance with any potential requirements stemming from the EO, while also considering that exemptions be developed for IaaS providers that adhere to a set of best practices and for types of accounts that are not subject to concern of abuse given the nature of the ongoing customer relationship with IaaS providers; and
  • Deconflict the special measures authorities granted under the EO with the ongoing ICTS Supply Chain IFR process.

Public Policy Tags: Cybersecurity, Public Sector