In a recent proposed rule, the Department of Commerce has taken additional steps toward imposing significant regulations on infrastructure as a service (IaaS) providers, including providers engaged in training certain large AI models. The notice of proposed rulemaking (NPRM) is published by Commerce’s Bureau of Industry and Security (BIS) and, in particular, its newly-created Office of Information and Communications Technology and Services (OICTS). The NPRM does not impose any immediate obligations on industry. Rather it requests comments on the proposed rules, which Commerce will consider before issuing a final rule. Comments are due by April 29, 2024.
The NPRM is OICTS’s first step toward implementing the Biden Administration’s executive order on AI (discussed in Steptoe’s alert here) and further implements a prior executive order on IaaS providers (discussed in Steptoe’s alert here).
The NPRM would require providers of IaaS products to implement customer identification programs (CIPs) to verify the identity of foreign customers. The CIP requirement is similar, in many respects, to the CIPs that certain US financial institutions must implement as part of their anti-money laundering (AML) compliance programs. The NPRM also delineates the ability of Commerce to identify foreign jurisdictions and persons posing a heightened threat to US national security and to prohibit or require conditions on the provision of IaaS products to such jurisdictions or persons. IaaS providers would be obligated to identify and report to Commerce when a foreign person uses their products to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity. Furthermore, IaaS providers would be required to ensure their resellers comply with the same set of rules.
IaaS CIP Requirement
Who Must Comply
The NPRM would require US providers of US IaaS products to implement and maintain a CIP meeting a variety of enumerated requirements.
- A “US IaaS provider” means “any United States person that offers any Infrastructure as a Service product.” United States person is defined consistent with other US national security regimes to include US citizens and lawful permanent residents, entities organized within the United States, and “any person located within the United States” – the latter of which may cover a wide range of non-US companies with activities or operations in the United States.
- The NPRM contains a detailed definition of “IaaS product,” but generally defines the term to mean “a product or service offered to a consumer … that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications.”
- A “US IaaS product” means “any Infrastructure as a Service product owned by any United States person or operated within the territory of the United States.”
For ease of reference, this blog post refers to covered providers simply as “IaaS providers.”
What Must be Contained in the CIP
A CIP would be applied to an IaaS “Account,” which is defined broadly to mean “a formal business relationship established to provide IaaS products to a person in which details of such transactions are recorded.”
The CIP must meet the specific requirements contained in the NPRM and must be “appropriate for the IaaS providers’ size, type of IaaS products offered, and relevant risks ….” In other words, the program must be appropriately “risk-based.” The requirement for a CIP to be risk-based is consistent with CIP requirements in other contexts such as AML requirements for certain US financial institutions. Importantly, this means the Department could find a CIP was inadequate even if it met the precise regulatory requirements of the final rule, because the CIP did not appropriately account for and mitigate heightened risks posed by the IaaS provider’s business.
The CIP must first be able to determine whether an IaaS Account is being opened for a foreign or US person, by assessing whether both the customer itself (including both individual and entity customers) and “all beneficial owners” are US persons. The term “beneficial owner” is defined to mean an individual that “(1) Exercises substantial control over a customer; or (2) Owns or controls at least 25 percent of the ownership interests of a customer.”
The NPRM explains an IaaS provider “must exercise reasonable due diligence to ascertain the true identity of any customer or beneficial owner of an Account who claims to be a U.S. person.” Although the CIP program requirements would apply only to foreign IaaS Account holders (i.e., those determined not be US persons), as a practical matter, IaaS providers may need to apply most or all of the CIP program to all Account holders in order to conduct such “reasonable due diligence.”
If an IaaS provider is unable to determine that a potential customer and all beneficial owners are US persons, then the provider must apply the CIP in full to that customer or beneficial owner. The NPRM outlines several pieces of information that must be obtained, including full legal name or entity name, address, “means and source of payment for the Account,” email, phone number, and internet protocol (IP) address used for account access or administration and the date and time of such access.
The proposed requirements to collect means and source of payment and IP address information are not contained in CIP requirements under AML rules and would be unique to this new regime. Notably, the means and source of payment appears to be related specifically to the method of payment used for the Account, rather than a source of funds review, which assesses how a customer obtained the funds being used. However, source of funds could be necessary as part of a risk-based approach, depending on the facts and circumstances.
In addition to collecting the above information, IaaS providers will also be required to verify the identity of a potential foreign customer and beneficial owners by use of documentary or non-documentary methods, outlined in further detail in the NPRM. For CIP programs under AML rules, documentary methods (such as collecting and reviewing copies of government-issued identity documents) tend to be more common than non-documentary methods.
The CIP must also contain procedures for situations where an IaaS provider is unable to verify a potential customer or beneficial owner’s identity, complying with record keeping requirements, preventing unauthorized access to CIP information by third parties, and periodic reviews and updates for existing customers.
CIP Reporting Requirements
An IaaS provider would be obligated to notify Commerce about its CIP and the CIP of each of its foreign resellers through the submission of a “CIP certification form.” The certification form calls for a variety of information such as tools and procedures used for customer verification; the “mechanisms, services, software, systems, or tools used by the IaaS provider to detect malicious cyber activity;” procedures for supervising foreign resellers, and procedures for identifying when a foreign person transacts to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity, among other requirements.
The certification also calls for a range of information regarding the IaaS provider including its service offerings and customer base, number of employees, number of customers, and a list of all foreign resellers, among several other data points. The certification must also include an attestation that the CIP meets the enumerated regulatory requirements. An updated certification must then be submitted on an annual basis going forward.
More immediate reporting is also required in the event of certain significant changes regarding the IaaS provider or its CIP.
Procedures to Detect Malicious Cyber Activity
Notably, the requirement to maintain procedures to detect malicious cyber activity would mean the program is not just limited to understanding and verifying customer identification, but also requires ongoing monitoring of the substantive activities of a customer, something that may not fit neatly within the concept of a CIP program under other regimes. For example, in the AML context financial institutions are typically obligated to monitor customer transactions, following account opening, and to file suspicious activity reports, where warranted. However, such compliance measures are often viewed as distinct from the customer identification procedures contained in a CIP to determine whether an account should be established.
The term “malicious cyber-enabled activities” is defined broadly to mean activities “that seek to compromise or impair the confidentiality, integrity, or availability of computer, information, or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.”
The NPRM also provides examples of AI-related malicious cyber-enabled activities, including “social engineering attacks, vulnerability discovery, denial-of-service attacks, data poisoning, target selection and prioritization, disinformation or misinformation generation and/or propagation, and remote command-and-control of cyber operations.”
Given the breadth of activities considered “malicious cyber-enabled activities,” IaaS providers may need to invest considerable resources in detecting and deterring such conduct and in drafting written procedures regarding those efforts.
Requirements with Respect to Foreign Resellers
IaaS providers that “contract with, enable, or otherwise allow foreign resellers to resell their U.S. IaaS products” would be obligated to ensure that such foreign resellers implement and maintain a CIP meeting the requirements of the rule. A foreign reseller is defined as “a foreign person who has established an Infrastructure as a Service Account to provide Infrastructure as a Service products subsequently, in whole or in part, to a third party.”
IaaS providers must be able to provide a foreign reseller’s CIP to Commerce within 10 calendar days of a request.
If an IaaS provider has evidence that a foreign reseller has failed to maintain and implement a CIP or demonstrating a “lack of good-faith efforts by the foreign reseller to prevent the use of U.S. IaaS products for malicious cyber-enabled activities,” the foreign reseller must close the Account of the foreign reseller and “if relevant, to report the suspected or actual malicious cyber-enabled activity discovered to relevant authorities ….”
An IaaS provider may continue working with the foreign reseller if the reseller remediates the issue within 30 days and the continued relationship does not “increases the risk its U.S. IaaS products may be used for malicious cyber-enabled activity.” As proposed, this would appear to be a relatively high standard for a US IaaS provider to establish and document.
IaaS providers must also collect information from foreign resellers needed for the annual certification requirement, outlined above, and include that information in annual reports to Commerce.
Compliance Assessments and Government Inspection
Commerce may, at its discretion, conduct reviews of an IaaS provider’s CIP “based on the Department’s own evaluation of risks associated with a given CIP, U.S. IaaS provider, or any of its foreign resellers.” The NPRM contains an illustrative list of criteria that Commerce may consider, including, “Assessing whether the services or products of a U.S. IaaS provider or a foreign reseller are being used or are likely to be used: (i) By foreign malicious cyber actors; or (ii) By a foreign person to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.”
Following a compliance assessment, Commerce may recommend enhancements to an IaaS provider’s CIP program or may consider prohibiting or requiring mitigation of a transaction or class of transactions under the Information Communications and Technology Services (ICTS) Rule, described in our prior blog post.
Exemption for Providers with Approved ADPs
Under the NPRM, Commerce may exempt an IaaS provider from the CIP requirements upon a determination the “IaaS provider has established an Abuse of IaaS Products Deterrence Program (ADP)” meeting certain enumerated standards. Commerce may also make such a finding with respect to a foreign reseller, exempting the IaaS provider from the CIP rules with regard to that specific reseller. An ADP must be “designed to detect, prevent, and mitigate malicious cyber-enabled activities in connection with their Accounts and the IaaS Accounts of its foreign resellers” and must be appropriate given the size and complexity of the IaaS provider’s business and products.
Among other requirements, an ADP must identify potential red flags for the Accounts that the IaaS provider offers or maintains, contain measures to detect the existence of such red flags, and contain procedures to respond to any detected red flag to “prevent and mitigate malicious cyber-enabled activities.” The ADP must be updated regularly and must contain requirements for a number of related matters such as employee training and oversight of foreign resellers. The NPRM contains significant additional detail on the requirements for ADPs.
IaaS providers wishing to obtain an exemption for themselves or one or more of their foreign resellers must make a written submission to Commerce, containing the ADP. An annual notification to Commerce is required to maintain an exemption.
Given the significant requirements necessary for an ADP to be approved, it is unclear if use of an ADP would materially reduce the compliance burden on an IaaS provider as compared to a CIP. However, use of an ADP may give IaaS providers additional flexibility to structure the program as compared to the prescriptive CIP requirements.
Special Measures for Certain Foreign Jurisdictions and Foreign Persons
The NPRM would authorize Commerce to prohibit or impose conditions on (1) customers, potential customers, or accounts within certain foreign jurisdictions and (2) certain foreign persons upon a finding that “reasonable grounds exist for concluding that a foreign jurisdiction or foreign person is conducting malicious cyber-enabled activities using U.S. IaaS products….” The NPRM contains additional detail on the process and criteria used for undertaking such evaluations. Any special measures are valid for 365 calendar days, but may be extended by Commerce. IaaS providers will have 180 days to comply with any special measures issued by Commerce. The NPRM does not propose that any specific foreign jurisdictions or foreign persons be covered at this time.
Reporting of Large AI Model Training
In addition to the CIP requirements, the NPRM would require IaaS providers to submit a report to Commerce when they have “knowledge” of a “covered transaction.” The term “covered transaction” means a “transaction by, for, or on behalf of a foreign person which results or could result in the training of a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.” It also includes developments or updates to a prior transaction that cause it have such a result or potential result.
The term “large AI model with potential capabilities that could be used in malicious cyber-enabled activity” means “any AI model with the technical conditions of a dual-use foundation model or otherwise has technical parameters of concern, that has capabilities that could be used to aid or automate aspects of malicious cyber-enabled activity…” This includes, among other conduct, “social engineering attacks, vulnerability discovery, denial-of-service attacks, data poisoning, target selection and prioritization, disinformation or misinformation generation and/or propagation, and remote command-and-control of cyber operations.”
The term “dual-use foundation model” means:
An AI model that is trained on broad data; generally uses self-supervision; contains at least tens of billions of parameters; is applicable across a wide range of contexts; and that exhibits, or could be easily modified to exhibit, high levels of performance at tasks that pose a serious risk to security, national economic security, national public health or safety, or any combination of those matters, such as by: (i) Substantially lowering the barrier of entry for non-experts to design, synthesize, acquire, or use chemical, biological, radiological, or nuclear (CBRN) weapons; (ii) Enabling powerful offensive cyber operations through automated vulnerability discovery and exploitation against a wide range of potential targets of cyber attacks; or (iii) Permitting the evasion of human control or oversight through means of deception or obfuscation.
Importantly, models meet that definition “even if they are provided to end users with technical safeguards that attempt to prevent users from taking advantage of the relevant unsafe capabilities.”
Notably, the examples provided in (i)-(iii) above appear to be merely illustrative and not exhaustive. The fact that technical safeguards cannot be considered when determining whether a model falls within the definition will serve to significantly broaden the range of models contained in that definition. The NPRM would not require any knowledge that an actor actually intends to use a dual-use foundation model for malicious purposes, only that the model “could” be used for malicious purposes. Commerce may publish additional definitional detail in subsequent “interpretive rules.”
Reports would need to be submitted within 15 calendar days of a “covered transaction” occurring or an IaaS provider having “knowledge” that a “covered transaction” occurred.
IaaS providers would also be required to obligate their foreign resellers to submit a report when they have “knowledge” of a “covered transaction.” Upon receipt of evidence or facts indicating a foreign reseller has not complied with this reporting requirement, the IaaS provider must “notify the foreign reseller of the alleged violation and request written confirmation and supporting evidence of compliance, remediation, or both.” If the foreign reseller does not remediate or remains out of compliance the IaaS provider “must suspend the provision of U.S. IaaS products to the foreign reseller, and shall resume provision of U.S. IaaS products only after the foreign reseller has provided adequate assurances to prevent future violations.”
Path Forward for NPRM and OICTS
Commerce welcomes comments on the full range of proposals in the NPRM. Comments are due on April 29, 2024. While the NPRM contains a number of specific issues on which Commerce is particularly interested in receiving comments, interested parties may comment on any aspect of the rule. Commerce will then review and consider the industry comments before issuing a final rule.
The NPRM marks a significant step forward for OICTS, which is a new office within BIS and just recently appointed its first executive director, Elizabeth Cannon. Director Cannon previously served in a number of roles at the Department of Justice. As OICTS continues to add staff and resources it will likely move quickly to implement the authorities for which it is responsible and become more aggressive in using existing tools such as the ICTS rule.
In addition to this NPRM, IaaS providers should also continue to monitor developments related to BIS’s export controls regime. In particular, when announcing expanded export controls targeting certain advanced computing items, including certain semiconductors used to train AI models, BIS requested comments on the feasibility and advisability of additional export controls targeting the provision of IaaS related to dual-use AI foundation models. The publication of this NPRM likely suggests that BIS is not planning any imminent actions with respect to additional export controls, but it is nonetheless an important area for IaaS providers to continue monitoring. For additional information regarding this rule or assistance in preparing and submitting a comment, please contact a member of our Artificial Intelligence Group, Export Controls Group, or National Security/CFIUS Group.