On January 29, 2024, the U.S. Department of Commerce’s (DOC) Bureau of Industry and Security (BIS) issued a proposed rule seeking to secure U.S. Infrastructure as a Service (IaaS) products against foreign parties seeking to use such products to engage in malicious cyber-enabled activity. Specifically, the proposed rule would impose certain due diligence and reporting requirements on U.S. IaaS providers and their foreign resellers.

The Notice of Proposed Rule Making (NPRM) follows Executive Order 13984 issued by President Trump in January 2021 and Executive Order 14110 issued by President Biden in October 2023. BIS has invited the public to submit comments on the proposed rule by April 29, 2024.

The proposed rule, which would amend the Information and Communications Technology and Services (ICTS) regulations (15 C.F.R. Part 7) administered by the DOC, focuses on the following actions:

• Requiring U.S. IaaS providers and their foreign resellers to implement a Customer Identification Program (CIP).
• Empowering the DOC to prohibit or restrict access to U.S. IaaS products by certain foreign persons or persons in certain foreign jurisdictions.
• Requiring U.S. IaaS providers and their foreign resellers to report known instances of foreign persons training large artificial intelligence models with potential abilities that could be employed in malicious cyber activity (e.g., social engineering attacks or denial-of-service attacks).

Below are the key takeaways regarding the DOC’s proposed rule on IaaS.

The DOC is seeking to regulate in this area based on concerns that foreign persons can use IaaS to engage in malicious activity, including training of large AI models.  

Specifically, policymakers are concerned that foreign parties can remotely access computing power to engage in activity that poses a threat to U.S. national security. For the time being, the U.S. government’s preferred approach to address this risk is by imposing “know your customer” and reporting requirements on the industry, so that regulators can have access to information as necessary.

The proposed rule would require U.S. IaaS providers to establish a CIP requiring identification of foreign customers and their beneficial owners, akin to the “know your customer” information that banks maintain.

The CIP requirement would require U.S. providers and their foreign resellers to capture a large amount of information and would mark a significant change for the industry. Implementing the appropriate procedures and frameworks for compliance would require commitment of resources and would be an essential part of doing business for any company seeking to enter the industry.

Companies can apply for an exemption from the CIP requirement by demonstrating that they have established an “Abuse of IaaS Products Deterrence Program”.

In order to obtain an exemption, a company would have to affirmatively apply to the DOC, which would have discretion to grant the exemption or deny the request. The company would need to demonstrate that it has established a program aimed at detecting and preventing cyber threats. 

The DOC can impose special measures prohibiting or limiting access to U.S. IaaS by foreign persons that are located in a jurisdiction found to engage in a pattern of malicious cyber activities or that have engaged in such activities themselves.

The proposed rule would empower the DOC to identify entire countries (e.g., China) engaged in a pattern of malicious activities or specific individuals or entities engaged in such activity, limiting or prohibiting their access accordingly.

U.S. IaaS providers would be required to make a report to the DOC within 15 days of becoming aware that a foreign person has used their services to train a large AI model with the potential capability to be used for malicious cyber activity.

This would call for significant monitoring on the part of U.S. IaaS providers, and mileage may vary regarding what constitutes reasonable diligence under the circumstances. This part of the proposed rule may be ripe for further guidance from the DOC.

U.S. providers are required to flow through the above requirements to their foreign resellers.

This is a key part of the proposed framework, intended to overcome limitations on information that may be available to U.S. providers based on the reseller model that may be prevalent in the industry to a certain extent. 

The DOC is considering imposing controls on the use of U.S. export-controlled advanced computing items to provide cloud services for use in training large AI models. 

This is an important part of the policy conversation and should be part of the risk calculus for companies in the industry. Specifically, policymakers are concerned that while U.S. export controls have been somewhat effective in cutting off exports to China of advanced semiconductors, China still has access to remote computing power in training large AI models.

The DOC would enact the rules by amending its Information and Communications Technology and Services (ICTS) regulations. 

The ICTS regulations are the most import tech regulations that you have never heard of. You will be hearing a lot more about them in the future. In the months and years to come, the DOC will be taking action to secure the ICTS supply chain. Most recently, this was done by issuing an advance notice of proposed rulemaking regarding connected vehicles.

The DOC’s proposed rule would usher in new reporting requirements for the U.S. IaaS industry. However, it is important to keep in mind that it remains a proposal, and that the DOC will be accepting comments on the proposal through April 29, 2024. It will be important for providers to monitor developments in this area, as a final rule likely will impose significant compliance requirements.