"Biden admin recently said it will require cloud providers to verify the identity of their users"
From: https://www.politico.com/news/2023/03/10/white-house-cloud-overhaul-00086595
I won't quote the entire article, but some key points are:
Among other steps, the Biden administration recently said it will require cloud providers to verify the identity of their users to prevent foreign hackers from renting space on U.S. cloud servers (implementing an idea first introduced in a Trump administration executive order). And last week the administration warned in its national cybersecurity strategy that more cloud regulations are coming — saying it plans to identify and close regulatory gaps over the industry.
.
That risk is only growing, said Rob Knake, the deputy national cyber director for strategy and budget. Foreign hackers have become more adept at “spinning up and rapidly spinning down” new servers, he said — in effect, moving so quickly from one rented service to the next that new leads dry up for U.S. law enforcement faster than it can trace them down.
.
“In the United States, we don’t have a national regulator for cloud. We don’t have a Ministry of Communication. We don’t have anybody who would step up and say, ‘It’s our job to regulate cloud providers,’” said Knake, of the strategy and budget office. The cloud, he said, “needs to have a regulatory structure around it.”
What are your thoughts? Do you think this will have any impact on non-enterprise 'cloud providers' or do you think that things will be so loosely defined that all service providers (web hosting, VPS, dedicated, etc) will fall under the umbrella of this?
Comments
My guess is it'll only affect large enterprise providers who have international presence. But I don't think anything like this would ever pass, especially considering politicians don't know what "cloud" is.
It's mostly a bunch of wishful thinking on the part of Big Government and law enforcement for the moment, BUT we need to see what the reaction will be from the lobbyists funded by the big providers. They have been writing the script recently, so they will want to have a say in the wording of any potential legislation or executive orders. The appetite for regulatory structures (as opposed to self-regulation) has been growing from them in recent years, and I guarantee you they will use it to hurt mid-sized players if they can. Then watch for the reaction from freedom of speech advocates, and we'll get the battle lines drawn over this and what level of effort there will be for regulation during an election cycle.
I think you're probably right, the only thing that worries me is they don't know what "cloud" is and still somehow pass something absolutely terrible.
I do worry about it being used as a way to stamp out small/medium competition. Lobbyists using government regulations to close the door behind themselves once they're in is extremely common. Even something as simple as expensive and asinine compliance audits or already having their fingers in owning some ID-verification service and then shoving this through as a way to 'tax' the smaller entities.
Indeed. One of the ideas of many that I've seen floated by lobbyists in similar discussions is requiring an individual or team responsible for regulatory compliance and/or a compliance liaison/officer kind of role. That is chump change for a big provider, but very, very expensive for a smaller provider. These kinds of requirements are the dirty little tricks that lobbyists write into the scripts of these kinds of regulatory structures. It happens in every industry. There's a lot more than that, of course, but it's the kind of thing to look out for as you listen to speeches and testimony, etc...
The idea isn't new, it was proposed under the Trump admin and will be proposed under the next administration as well, regardless of party.
Seems more like the "TSA Approach" to security. Instead of shifting focus where the problem is or diverting funds to strengthen our actual cyber security systems, they just do something that is invasive and annoying to most without having an impact on the actual problem. They're blaming foreign actors 'spinning up and spinning down' American servers to launch attacks and exploit weaknesses in infrastructure here, as if these could only be carried out currently on American servers which we all know is a silly idea. Just seems like they're using the current, "Russia is really bad" excuse to get to implement things that'd normally not have support. (Sort of like the post 9/11 changes in the name of National Security. )
Probably require something like ID.ME. It's already in use on some Government sites, pretty sure it was on IRS.Gov that I had to do some ID.ME stuff. It's annoying. It feels invasive and incredibly uncomfortable when you're doing facial scans and stuff on your mobile device.
Yes, one of the most common justifications, right up there with a national (or better yet, global) health emergency. They just love to go back and forth between those two award-winning, gold medal, sure bet, triple-A justifications.
You missed “to protect children”. A classic.
Francisco
KYC is nothing new. It is completely different from "know your random poster in your blog" or "know the random mailing you" or "you are responsible for what other people are doing".
That being said, of course it is a failed approach, so much so that I think it is actually a pretext. Stopping hackers by knowing whom they have hacked? Seriously?
inb4 you would go to jail for patching your VPS a few hours too late.
Oh I’m sure they’d leave a loophole in it, of course you’d have to grease the hole with the kind of money only the big clouds would have. Because what they’re really into, at the end of the day, is protecting the big corporations from competition while creatively phrasing it as a win for the people.
Isn't the fact that Congress doesn't know what "cloud" is precisely why it could pass?
I'd rather they impose ssh keys and MFA.
I guess time to stop using one of the big US cloud providers and buy some Offshore Dedicated Servers and VPS
There will be an incentive for privacy-focused businesses to leave US. This means Freedom of Expression which was one of the pillars of the foundation of the country would become a joke.
Carry on citizen, nothing to see here.
This law is highly possible. We live in strange times (Brexit, Covid with huge restrictions in freedom, wars with people dying for various interests of superpowers, electricity bills going up for no realistic reason, investments in AI for processing huge amount of data faster); so right now I think anything is possible. To be honest, any attack on privacy by politicians for the "well-being" of citizens no longer surprises me - it's quite normal nowadays.
Here's my passport, mr biden, please don't delete my LET account:
Cyka Blyat, why did you post my passport on the Interwebs?
Because it expired 20 years ago. Passport is no longer valid, so owner can't order services in USA.
It is certainly a risk that a broad interpretation will be utilized to blanket cover as much as possible. Sigh.
All for the purpose of the "greater good" and "security" ... give me a break.
Some of the most abusive providers out there already require KYC, and nearly all of them require some form of payment tied to your real name. This will change nothing.
Becoz I must has cheez cheap VPSos, that's why.
Realistically, any bad actor is just going to go to another host, probably based in another country, if required to provide KYC for a US ISP...
I can't see many reasons why a hacker would specifically require a server on US soil.
I would say it will affect even non enterprise. Hackers doesn't use aws, azure and gcp all the time. they also utilize powerful low cost servers which can be found here mostly.
A bad actor, especially a hacker, doesn't need to sign-up anywhere. They get the servers they want where they want, for free.
THAT is the point I am making, when I say "combating hackers by knowing whom they have hacked." It is stupid to the nth degree.
Remember, these are hackers, not pedophiles, the latter might be dumb dicks, but a hacker will hack whether it is Azure, AWS or the Klingon death cloud. The pedophilia would have worked way better here.
Not that good of a comparison. Actual pedophiles have way better OPSEC than most hackers.
Source?
I was hoping you could elaborate on that, actually. We both know you have a lot of experience.
I am not sure. True, when there is a "need" there is a way, but not everyone can become an expert in such a way that they can hack servers to hide their tracks. Nope, SOME pedophiles MIGHT have SOME OPSEC with a handful very good at it, but hacking random servers? Not really.
I have gathered some experience throughout making as many pedo lifes miserable as possible through various methods. Cops are useless at least here, so you often have to take matters in to your own hands to save innocent people.
I can confidentially say that most pedos have worse opsec than skids and other lowtier "computer gods". Most pedos are sad incels in their moms basement operating in clearnet - often with their own name on it.
"Hacker" is a very overused term and does not relate to anyone in particular - unlike pedo.