Key Takeaways:

  • New proposed rule by the Department of Commerce's Bureau of Industry and Security ("BIS") could subject U.S. cloud service providers and their foreign resellers to data collection and reporting requirements.
  • If rule becomes final, U.S. Infrastructure as a Service ("IaaS") providers and their foreign resellers will have one year to develop a Customer Identification Program to collect and maintain personal identifying information about their current and prospective customers.
  • The proposed rule would require U.S. IaaS providers and their foreign resellers to submit reports about transactions with foreign persons where U.S. IaaS products are used to train large AI models with potential capabilities that could be used in malicious cyber-enabled activity.
  • BIS is inviting public comments on the proposed rule by April 29, 2024.

On January 29, 2024, BIS proposed a rule that would impose new requirements for U.S. providers of Infrastructure as a Service ("IaaS") products and their foreign resellers. The proposed rule would require U.S. IaaS providers and their foreign resellers to implement measures to verify the identity of their customers in ways similar to financial institutions. The rule aims to deter foreign actors from using U.S. IaaS products for malicious activities.

Background

IaaS products offer customers the ability to run software and store data on servers offered for rent or lease without having to assume the direct maintenance and operating costs of those servers. BIS is concerned that malicious foreign cyber actors have been using U.S. IaaS products to steal intellectual property and sensitive data, engage in covert espionage activities, and threaten national security by targeting U.S. critical infrastructure.

Moreover, the U.S. government is concerned about the emergence of large-scale computing infrastructure to which U.S. IaaS providers and foreign resellers provide access as a service, and which malicious foreign actors could use to train large AI models that can assist or automate their malicious cyber activity. The proposed rule aims to address those threats coming from the misuse of U.S.-based IaaS products and services.

Customer Identification Program (CIP) Requirements for U.S. IaaS Providers and Their Foreign Resellers

Under the proposed rule, U.S. IaaS providers and their foreign resellers are required to maintain CIPs, perform effective customer verification, and maintain identifying information about their foreign customers. BIS proposes to require that all U.S. IaaS providers implement their own CIPs, require CIPs from their foreign resellers, and report to BIS on these CIPs.

At a minimum, BIS is proposing that the following customer data would be collected by U.S. IaaS providers and their foreign resellers:

  • Customer name and nationality (including all beneficial owners of an account at its inception and any new beneficial owner added to the account).
  • Address.
  • Means and source of payment for each customer's account including: credit card number; account number; customer identifier; transaction identifier; virtual currency wallet or wallet address identifier; equivalent payment processing information, for alternative sources of payment; or any other payment sources or types used.
  • Email address and telephone number.
  • Internet protocol (IP) addresses used for access or administration of the user account.

U.S. IaaS providers and their foreign resellers would not be required to verify the identity of customers with accounts opened by or on behalf of a U.S. person, unless a foreign beneficial owner is added to the account, or the account (or a portion of the account) is resold to a foreign person.

The proposed rule would require that U.S. IaaS providers only initiate or continue a reseller relationship with foreign resellers that maintain and implement a CIP that meets the same requirements for CIPs of U.S. IaaS providers. U.S. IaaS providers will be allowed up to one year to implement such CIPs and notify BIS accordingly. U.S. IaaS providers would also be required to furnish a copy of any foreign reseller's CIP to BIS within ten calendar days following a request from BIS.

Under the proposed rules, all CIPs must include procedures to address circumstances where the U.S. IaaS provider or foreign reseller is unable to verify the identity of a customer. In such circumstances, CIPs should include steps that (i) prevent the customer from opening an IaaS account; (ii) grant the customer temporary and limited access while attempting to verify the customer's identity; (iii) close the account when the customer's identity cannot be verified; and (iv) implement measures for redress and issue management to address situations in which legitimate customers may fail identity verification or in which their information was compromised and a fraudulent account established.

Exemptions From CIP Requirements

The proposed rule allows the Secretary of the Commerce Department, in consultation with certain other department secretaries and government officials, to issue exemptions from the regulations proposed by the rule to U.S. IaaS providers, foreign resellers, or any specific type of account or lessee, if they are found to be compliant with security best practices to otherwise deter abuse of IaaS products. To be found compliant with security best practices, a provider must have an Abuse of IaaS Products Deterrence Program ("ADP"). There is a long list of requirements (contained in §7.306 of the proposed rule) that would need to be included in the ADP to be considered for an exemption.

Special Measures

BIS proposes regulations to implement special measures when the Secretary determines that reasonable grounds exist for concluding that a jurisdiction or person outside of the U.S. "has any significant number of foreign persons offering U.S. IaaS products that are used for malicious cyber-enabled activities or any significant number of foreign persons directly obtaining U.S. IaaS products for use in malicious cyber-enabled activities." Upon such determination, the Secretary could impose conditions on opening or maintaining an account within a foreign jurisdiction or impose conditions on opening or maintaining accounts by certain foreign persons.

AI Reporting Requirements

Under the proposed rule, U.S. IaaS providers or foreign resellers are required to submit a report to the Secretary when they have knowledge that a foreign person transacts with the U.S. provider to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity. The report would include, at a minimum, the identity of the foreign person and information about the process by which the AI model learns from data using computing power (the training run).

Conclusion

The proposed IaaS rule would significantly impact U.S. IaaS providers and foreign resellers. Foreign AI companies that use U.S. IaaS products could also be affected by this rule. Those impacted by the proposed rule should strongly consider submitting comments, which must be received by April 29, 2024. Foley Hoag's International Trade & National Security team can assist in effectively submitting those comments to BIS.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.