Proposed rulemaking

Commerce Department Issues Rulemaking Notice for IaaS User Verification

The Department of Commerce published a Federal Register notice on Friday seeking industry feedback on how to implement rules to prevent the exploitation of infrastructure-as-a-service products for malicious cyber activity.

Comments are due within 30 days of the notice’s publication date, Nextgov reported.

In the document, the Commerce Department took note of how foreign actors take advantage of loopholes in the rules for IaaS product usage to conduct cyber activities against U.S. interests.

“IaaS products provide the ability to run software and store data on servers offered for rent or lease without responsibility for the maintenance and operating costs of those servers,” the notice stated.

Malicious actors destroy traces of evidence of their prior activities while using IaaS products, making it increasingly difficult to track and obtain information about them in a timely manner.

The Commerce Department recommends that IaaS providers be required to verify the identity of persons obtaining an IaaS account and maintain records of those transactions.

The proposed rule falls under Executive Order 13984 issued by former President Donald Trump.

Released in January in the wake of multiple large-scale attacks, EO 13984 requires more robust recordkeeping practices and user identification and verification standards to aid investigative efforts.

The order covers the role of resellers, which security firm CrowdStrike believes to have been exploited by Russian actors behind the hack on Microsoft’s Office 365 customers.