Malicious cyber actors have long employed network obfuscation techniques to route and launder their traffic, so as to conceal its true source and make it harder for cyber defenders to detect and block. This tradecraft has evolved to include the use of Infrastructure as a Service (IaaS) products—such as Virtual Private Servers—to obfuscate foreign-based malicious traffic by appearing as domestic in origin and evade government surveillance by rapidly provisioning, using, and abandoning accounts before they can be investigated. A robust criminal market for stolen IaaS account credentials, often involving dormant accounts, and layers of resellers further insulate malicious actors from accountability.
U.S. regulators in early 2024 proposed a rule that would require increased due diligence efforts by IaaS providers of their foreign customers to prevent and address such abuse. As an alternative to its know-your-customer requirement, the rule would invite proposals for alternative countermeasures including a “consortium” approach among providers and potentially relevant government agencies. To help advance the development of creative alternatives, the Institute for Security and Technology (IST) in partnership with the Cyber Threat Alliance (CTA) is studying this topic with an aim to provide recommendations for how a consortium could be shaped to best accomplish the government’s overall objective of deterring abuse.
Latest from Trust & Safety in Cloud Services
Deterring the Abuse of U.S. IaaS Products: Recommendations for a Consortium Approach
Informed by a year of working group discussions with IaaS providers and other experts, “Deterring the Abuse of U.S. IaaS Products: Recommendations for a Consortium Approach” examines the Commerce Department’s proposed rule requiring all U.S.-based IaaS providers to implement a Customer Identification Program for foreign customers or establish an Abuse of IaaS Products Deterrence Program (ADP). Authors Steve Kelly and Tiffany Saade make recommendations for how an ADP consortium, powered by AI and privacy-preserving technologies such as federated learning, could be shaped to best accomplish the government’s overall objective of deterring abuse.
February 2025 | Report
IST Submits Comments on the Bureau of Industry and Security’s Proposed Regulation Involving U.S. Infrastructure as a Service Products
IST in May 2024 submitted comments on the U.S. Department of Commerce, Bureau of Industry and Security’s Notice of Proposed Rulemaking on Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities, which intends to deter foreign malicious cyber actors’ use of U.S. Infrastructure as a Service (IaaS) products.
May 2024 | Response to RFI
Support
