NSTAC report offers guidance on combating abuse of domestic infrastructure.

On Tuesday, the US National Security Telecommunications Advisory Committee (NSTAC) approved a slate of recommendations focused on fighting cyberattacks targeting domestic infrastructure, Nextgov reports. Among other initiatives, the guidance tasks the federal government with standing up a public-private task force focused on creating a framework of best practices for combatting the foreign abuse of domestic infrastructure (ADI).

Government should seek to engage the private sector in testing privacy-protecting technologies.

The report also calls for the government to work with developers of commercial products and emerging tech to test privacy enhancing technologies and bolster data sharing initiatives. NSTAC’s guidance recommends that the strategy be led by the Office of the National Cyber Director and supported by public-private partnerships. "While many facets to combat ADI are currently in place or under development, a strategic, coordinated approach is essential to help unify these efforts," the report states. 

As the Messenger notes, the report also stated that cloud companies collecting identity verification data from users during the signup process might not be the cybersecurity solution it was once considered. The Department of Commerce is preparing to issue those “Know Your Customer” (KYC) requirements in the coming months, the idea being that collecting personal data during the signup could be a deterrent to cybercriminals, who do not want to be identified in connection with their activities. However, as NSTAC states, the requirement “would be unlikely to decrease [the abuse of U.S. cloud infrastructure] by malicious foreign actors” and “would likely do more harm than good.” 

Privacy protection involves identity protection.

Enhancing privacy involves improving identity protection, and that's valuable against both criminal and state-espionage threats.

NSTAC explains that cybercriminals, who have become quite savvy at posing as legitimate citizens, might have no trouble believably verifying fraudulent identities. And customer identity requirements could push users from foreign partners like the EU to rely more on foreign-nbased platforms in order to avoid what could be construed as US surveillance. The report states, “There is concern that the prime beneficiaries of U.S. KYC requirements will be Chinese cloud providers like Alibaba and Huawei, especially in those emerging markets where concerns about Chinese data collection are not a priority.” 

The Center for Cybersecurity Policy and Law adds that NSTAC recommends focusing not only on threats from foreign actors, as cybercriminals are often able to disguise their activity to appear domestic. The report states, “There is no technical or other consistent method that can be employed to distinguish ADI between foreign actors and domestic actors with speed and accuracy at the macro level, especially for routine online business transactions…Efforts to impose additional requirements targeting foreign rather than domestic actors will provide even greater incentives for malicious foreign actors to use tactics that make them appear to be domestic actors.”