SUMMARY

Malicious cyber actors have long employed network obfuscation techniques to route and launder their traffic, so as to conceal its true source and make it harder to detect and defend against. Infrastructure established to support their operations can include compromised computers, routers, Internet of Things devices, and even Infrastructure as a Service (IaaS) products like Virtual Private Servers (VPS). In this latter example, the actors often seek to evade government surveillance by rapidly provisioning, using, and abandoning IaaS accounts before they can be investigated, and layers of resellers further insulate malicious actors from accountability.

President Trump in January 2021 issued Executive Order 13984 to address the problem of foreign malicious cyber actors leveraging domestic IaaS products to conduct computer network exploitation against U.S. targets. The order seeks to address this risk through a rulemaking that would require providers to verify foreign customers’ identities, maintain records, limit access to certain foreign actors, and encourage cooperation among providers. 

The U.S. Department of Commerce, Bureau of Industry and Security (BIS) in late-January 2024 published a notice of proposed rulemaking on this topic requiring IaaS providers to establish a Customer Identification Program (CIP) that would apply to all foreign customers. However, the proposed rule offers an alternative path in which an IaaS provider may be exempted from establishing a CIP upon “a finding by the Secretary [of Commerce] that a U.S. IaaS provider, U.S. IaaS provider’s foreign reseller, Account, or lessee implements security best practices to otherwise deter abuse of IaaS products” through an Abuse of IaaS Products Deterrence Program (ADP).

The proposed rule also suggested an IaaS provider’s participation in a “consortium to develop and maintain privacy-preserving data sharing and analytics to enable improved detection and mitigation of malicious cyber-enabled activities” would be a factor in granting such an exemption request. This report therefore examines the proposed rule’s inclusion of the “consortium” concept; provides recommendations for how an ADP Consortium could be shaped to best accomplish the government’s overall objective of deterring abuse, including beyond the proposed rule’s focus on data sharing and analytics; and proposes a potential model.

The report’s key recommendations are as follows:

• Recommendation #1 – Manage risk over an account’s lifecycle, not just a point-in-time. The proposed rule’s default CIP requirement—which primarily requires identity verification at enrollment—would drive significant compliance cost without commensurate risk reduction in the authors’ view. However, the ADP option has the potential to drive meaningful ecosystem-level benefit, particularly when supported by a consortium of IaaS providers. For providers to pursue this path, a rule must offer a grace period for good-faith efforts to pursue that option (i.e., a pause in the clock for establishing a CIP) and due process in the event the regulator seeks to revoke approval for a previously approved ADP.
• Recommendation #2 – Begin with core IaaS providers; expand cautiously to other stakeholder types. The ADP Consortium, at its core, is about joining U.S. IaaS providers of all sizes—from hyperscalers to new market entrants. Once established, this report recommends expanding the pool to reputable foreign providers to further shrink the surface area from which bad actors can operate. As a next concentric circle, the addition of prominent cybersecurity firms would add an additional level of visibility into bad actors’ obfuscation networks that go well beyond IaaS products, but this report cautions against including government agencies as standing members.
• Recommendation #3 – Adopt a “stepwise” approach to establishing a consortium. This report recommends a stepwise approach to establishing the ADP Consortium, facilitated by either an existing organization well postured for a rapid start or a newly established stand-alone entity. Once established or selected, the first phase would involve planning and cross-sectoral collaboration (“crawl” phase), transitioning towards a more structured collaboration amplified by technical development (“walk” phase), and ending with mature tooling, formalized operational support, and broader collaborative initiatives (“run” phase).
• Recommendation #4 – Enlist Artificial Intelligence (AI) in the fight. Detecting malicious actors’ infrastructure can be challenging, as such accounts may be idle for extended periods or behave in ordinary ways. AI can help significantly in spotting non-obvious patterns and new tradecraft, particularly when joining forces across multiple large providers through Federated Learning. This report explores such privacy preserving technologies that might provide an ADP Consortium’s essential technological foundations.