Administration of Donald J. Trump, 2021

January 19, 2021

Dear Madam Speaker: (Dear Mr. President:)

Pursuant to the International Emergency Economic Powers Act (50 U.S.C. 1701 *et seq*.) (IEEPA), the National Emergencies Act (50 U.S.C. 1601 *et seq*.), and section 301 of title 3, United States Code, I hereby report that I have issued an Executive Order declaring additional steps to be taken concerning the national emergency with respect to significant malicious cyber enabled activities declared in Executive Order 13694 of April 1, 2015 (Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-enabled activities), as amended, to address the use of United States Infrastructure as a Service (IaaS) products by foreign malicious cyber actors.

Foreign actors use United States IaaS products for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for United States officials to track and obtain information through legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities; foreign resellers of United States IaaS products make it easier for foreign actors to access these products and evade detection. This order provides authority to impose record-keeping obligations with respect to foreign transactions.

To address these threats, to deter foreign malicious cyber actors' use of United States IaaS products, and to assist in the investigation of transactions involving foreign malicious cyber actors, the United States must ensure that providers offering United States IaaS products verify the identity of persons obtaining an IaaS account ("Account") for the provision of these products and maintain records of those transactions. In appropriate circumstances, to further protect against malicious cyber-enabled activities, the United States must also limit certain foreign actors' access to United States IaaS products. Further, the United States must encourage more robust cooperation among United States IaaS providers, including by increasing voluntary information sharing, to bolster efforts to thwart the actions of foreign malicious cyber actors.

I have delegated to the Secretary of Commerce, in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, to exempt any United States IaaS provider, or any specific type of Account or lessee, from the requirements of any regulation issued pursuant to this section. Such standards and procedures may include a finding by the Secretary that a provider, Account, or lessee complies with security best practices to otherwise deter abuse of IaaS products.

The heads of all executive departments and agencies are directed to take all appropriate measures within their authority to implement the provisions of the Executive Order.

I am enclosing a copy of the Executive Order I have issued.

DONALD J. TRUMP

NOTE: Identical letters were sent to Nancy Pelosi, Speaker of the House of Representatives, and Michael R. Pence, President of the Senate. An original was not available for verification of the content of this letter.

Categories: Communications to Congress : Malicious cyber-enabled activities, U.S. national emergency, letter on additional steps to address.

Subjects: Commerce, Department of : Secretary; Defense and national security : Cybersecurity :: Cyber attacks; Defense and national security : Cybersecurity :: Strengthening efforts.

DCPD Number: DCPD202100043.