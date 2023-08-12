LAS VEGAS — The U.S. government’s cybersecurity agency convened the hacker community on Friday to help the agency figure out how to stop foreign governments and cyber criminals from using U.S.-based computer servers to launch their attacks.

Because security software often blocks internet traffic from certain countries, hackers based in those countries —including Russia and China— have increasingly begun renting access to computer infrastructure from American companies. The Cybersecurity and Infrastructure Security Agency (CISA) wants to tackle this misuse of what are known as virtual private servers (VPS), and at the DEF CON cybersecurity conference, several staffers from the agency’s Joint Cyber Defense Collaborative (JCDC) held a feedback session to hone their approach.

“What are we supposed to do about this?” JCDC cyber operations planner David Forscey asked as he kicked off the session. “We’re here to get your ideas for how the government can get at this problem.”

The CISA employees divided the room of roughly two dozen DEF CON attendees into two groups, one focused on the technical aspects of detecting and addressing malicious activity and the other focused on how the government should work with VPS providers to keep hackers off of their platforms.

The technical group dealt with issues such as defining the malicious behavior that VPS providers should watch for, tactics used by hackers to hide their activities and techniques for spotting them.

One participant told the CISA observers that security researchers often set up computers with deliberately exposed vulnerabilities —known as “honeypots”— to gather information about hackers who try to exploit them. By analyzing traffic to these honeypots, the government could identify the VPS companies most often exploited by hackers.

The CISA employees appeared eager to gather as much information as they could about the way that security companies waged digital combat with hackers abusing VPS. When the subject of honeypots came up, JCDC cyber operations planner Emily Paull asked participants how much of that monitoring was currently happening. “A lot,” came the response.

At one point, the discussion turned to hackers’ use of the Tor anonymity service to mask their activities, a tactic that makes it harder for VPS providers to identify and remove them. One participant said that VPS providers could block traffic from internet infrastructure associated with the Tor network. When JCDC cyber operations planner Peter Su asked if CISA should promote that as a best practice for these vendors, a participant jumped in to say that it wouldn’t solve the problem. “Whatever you do,” they said, “attackers will find a way around it.”

One participant cast doubt on the likelihood of VPS providers working with the government. The companies, this person argued, had no incentive to minimize hackers’ use of their platforms.

The stage at the DEF CON security convention in Las Vegas, Nevada on August 11, 2023. Eric Geller/The Messenger

Vendors’ incentives were at the heart of the conversation happening on the other side of the table, where participants strategized over how the government could convince VPS providers to get tougher on hackers.

One participant told the CISA staffers that it wasn’t correct to say that no VPS provider wanted to provide a home for cyber criminals. “Some mom-and-pop shops, that’s another dollar a month,” this person said. “Do they actually care? They don’t.”

It quickly became clear that the government needed to frame cooperation against hackers as a financial imperative for VPS providers. When a CISA staffer asked participants how to do this, one person said that the companies had to fear reputational harm from providing hackers with a safe haven. Another person said that many of these companies, particularly the larger ones, were eager for good PR and would jump at the chance to show how they partner with the government to keep their networks clean.

“They want large customers to feel comfortable in their network,” this person said.

The CISA employees were particularly interested in how to effectively form relationships with VPS providers. There are hundreds of these companies in the U.S., and most of them don’t have deep relationships with CISA the way that industry titans like Google and Microsoft do.

One person told the CISA employees to “meet them where they’re at” by signing up for the forums where VPS employees communicate. If CISA staffers joined these forums with their government email addresses, this person said, “that will blow their minds,” because they’d never expect that level of outreach.

“Making it easy for them to be good partners is the best thing that you can do,” one person said.

DEF CON attendees had one clear warning for CISA: The government shouldn’t focus on sending legal letters to VPN providers demanding that they disable hackers’ accounts. “It takes valuable resources for them to process that,” someone said. “That’s the wrong way to approach it.”