Today, the Department of Commerce (Department) published a notice of proposed rulemaking (NPRM) for establishing new requirements for Infrastructure as a Service providers (IaaS or “cloud infrastructure providers”). The NPRM outlines proposed requirements to address the risk of foreign malicious actors using U.S. cloud services that could be used in malicious cyber-enabled activity to harm U.S. critical infrastructure or national security, including to train large artificial intelligence (AI) models.
This NPRM demonstrates the Biden-Harris Administration’s proactive efforts to address the potential national security risks associated with frontier AI models and the abuse of U.S. cloud infrastructure by malicious actors and is a significant step in implementing the President’s Executive Order (EO) on “Safe, Secure, and Trustworthy Use and Development of Artificial Intelligence” (EO 14110) and the National Cybersecurity Strategy.
“Today’s rule puts foreign malicious cyber actors on notice that we are taking action to prevent them from using our own cloud infrastructure to undermine our national security interests,” said Under Secretary for Industry and Security Alan Estevez. “Today’s proposed rule gives the Secretary of Commerce the tools she needs to address risks while maintaining the Department’s overall approach to national security: to innovate and do business wherever we can, and to protect what we must.”
The proposed rule introduces potential regulations that require U.S. cloud infrastructure providers and their foreign resellers to implement and maintain Customer Identification Programs (CIPs), which would include the collection of “Know Your Customer” (KYC) information. Similar KYC requirements already exist in other industries and seek to assist service providers in identifying and addressing potential risks posed by providing services to certain customers. Such risks include fraud, theft, facilitation of terrorism, and other activities contrary to U.S. national security interests.
The NPRM also authorizes the imposition of certain special measures that can restrict malicious cyber-enabled actors’ access to U.S. IaaS. In this NPRM, the Department seeks feedback on a number of issues, including: minimum verification standards, access, and record-keeping requirements that providers must adopt; the procedures by which the Secretary of Commerce decides when and how to impose a special measure; and the definitions of several key IaaS and AI-related terms as they apply to the regulations.
This NPRM incorporates many of the public comments received in response to a September 24, 2021, Advanced Notice of Proposed Rulemaking (ANPRM). That ANPRM sought feedback on how the Department should implement various provisions of EO 13984, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber Enabled Activities.” Based on these comments, the Department has drafted the proposed rule to clarify requirements for the public in ways that are consistent with industry and public understanding of IaaS-related products and services.
The text of the proposed rule released today is available on the Federal Register’s website here. The deadline for public comments is April 29, 2024.
https://www.federalregister.gov/documents/2024/01/29/2024-01580/taking-additional-steps-to-address-the-national-emergency-with-respect-to-significant-malicious
This Blog is made available by Wilmarth & Associates for educational purposes as well as to give you general information and a general understanding of export law and compliance, not to provide specific legal advice. This blog is not legal advice and should not be treated as such. You must not rely on this blog as an alternative to legal advice from your attorney or other professional legal services provider. The information provided on this website is presented “as is” without any representations or warranties, express or implied.
