Sec. 3. Recommendations for Cooperative Efforts to Deter the Abuse of United States IaaS Products. (a) Within 120 days of the date of this order, the Attorney General and the Secretary of Homeland Security, in coordination with the Secretary and, as the Attorney General and the Secretary of Homeland Security deem appropriate, the heads of other agencies, shall engage and solicit feedback from industry on how to increase information sharing and collaboration among IaaS providers and between IaaS providers and the agencies to inform recommendations under subsection (b) of this section.
(b) Within 240 days of the date of this order, the Attorney General and the Secretary of Homeland Security, in coordination with the Secretary, and, as the Attorney General and Secretary of Homeland Security deem appropriate, the heads of other agencies, shall develop and submit to the President a report containing recommendations to encourage:
- voluntary information sharing and collaboration, among United States IaaS providers; and
- information sharing between United States IaaS providers and appropriate agencies, including the reporting of incidents, crimes, and other threats to national security, for the purpose of preventing further harm to the United States.
(c) The report and recommendations provided under subsection (b) of this section shall consider existing mechanisms for such sharing and collaboration, including the Cybersecurity Information Sharing Act (6 U.S.C. 1503 et seq.), and shall identify any gaps in current law, policy, or procedures. The report shall also include:
- information related to the operations of foreign malicious cyber actors, the means by which such actors use IaaS products within the United States, malicious capabilities and tradecraft, and the extent to which persons in the United States are compromised or unwittingly involved in such activity;
- recommendations for liability protections beyond those in existing law that may be needed to encourage United States IaaS providers to share information among each other and with the United States Government; and
- recommendations for facilitating the detection and identification of Accounts and activities that involve foreign malicious cyber actors.
Sec. 4. Ensuring Sufficient Resources for Implementation. The Secretary, in consultation with the heads of such agencies as the Secretary deems appropriate, shall identify funding requirements to support the efforts described in this order and incorporate such requirements into its annual budget submissions to the Office of Management and Budget.
Sec. 5. Definitions. For the purposes of this order, the following definitions apply:
(a) The term “entity” means a partnership, association, trust, joint venture, corporation, group, subgroup, or other organization;
(b) The term “foreign jurisdiction” means any country, subnational territory, or region, other than those subject to the civil or military jurisdiction of the United States, in which any person or group of persons exercises sovereign de facto or de jure authority, including any such country, subnational territory, or region in which a person or group of persons is assuming to exercise governmental authority whether such a person or group of persons has or has not been recognized by the United States;
(c) The term “foreign person” means a person that is not a United States person;
(d) The term “Infrastructure as a Service Account” or “Account” means a formal business relationship established to provide IaaS products to a person in which details of such transactions are recorded.
(e) The term “Infrastructure as a Service Product” means any product or service offered to a consumer, including complimentary or “trial″ offerings,
