Trust & Safety in Cloud Services

Exploring a collective approach to deterring foreign malicious cyber actors’ abuse of U.S. infrastructure

Malicious cyber actors have long employed network obfuscation techniques to route and launder their traffic, so as to conceal its true source and make it harder for cyber defenders to detect and block. This tradecraft has evolved to include the use of Infrastructure as a Service (IaaS) products—such as Virtual Private Servers—to obfuscate foreign-based malicious traffic by appearing as domestic in origin and evade government surveillance by rapidly provisioning, using, and abandoning accounts before they can be investigated. A robust criminal market for stolen IaaS account credentials, often involving dormant accounts, and layers of resellers further insulate malicious actors from accountability.

U.S. regulators in early 2024 proposed a rule that would require increased due diligence efforts by IaaS providers of their foreign customers to prevent and address such abuse. As an alternative to its know-your-customer requirement, the rule would invite proposals for alternative countermeasures including a “consortium” approach among providers and potentially relevant government agencies. To help advance the development of creative alternatives, the Institute for Security and Technology (IST) in partnership with the Cyber Threat Alliance (CTA) is studying this topic with an aim to provide recommendations for how a consortium could be shaped to best accomplish the government’s overall objective of deterring abuse.

Latest from Trust & Safety in Cloud Services

IST Submits Comments on the Bureau of Industry and Security’s Proposed Regulation Involving U.S. Infrastructure as a Service Products
IST in May 2024 submitted comments on the U.S. Department of Commerce, Bureau of Industry and Security’s Notice of Proposed Rulemaking on Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities, which intends to deter foreign malicious cyber actors’ use of U.S. Infrastructure as a Service (IaaS) products.

May 2024 | Response to RFI

Support